Tag
#git
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184). A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
## Impact There is a denial of service vulnerability in React Server Components. React recommends updating immediately. The vulnerability exists in versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of: - [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) - [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) - [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) These issues are present in the patches published last week. ## Patches Fixes were back ported to versions 19.0.2, 19.1.3, and 19.2.2. If you are using any of the above packages please upgrade to any of the fixed versions immediately. If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability. ## References ...
## Impact There is a source code exposure vulnerability in React Server Components. React recommends updating immediately. The vulnerability exists in versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of: - [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) - [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) - [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) These issues are present in the patches published last week. ## Patches Fixes were back ported to versions 19.0.2, 19.1.3, and 19.2.2. If you are using any of the above packages please upgrade to any of the fixed versions immediately. If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability. ## Referenc...
The PLAIN restore meta-command filter introduced in pgAdmin as part of the fix for CVE-2025-12762 does not detect meta-commands when a SQL file begins with a UTF-8 Byte Order Mark (EF BB BF) or other special byte sequences. The implemented filter uses the function `has_meta_commands()`, which scans raw bytes using a regular expression. The regex does not treat the bytes as ignorable, so meta-commands such as `\\!` remain undetected. When pgAdmin invokes psql with --file, psql strips the bytes and executes the command. This can result in remote command execution during a restore operation.
### Impact The Express server uses `express.json()` without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. ### Patches This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example: `app.use(express.json({ limit: "100kb" }));` ### Workarounds Users can mitigate the issue without upgrading by: - Adding a `limit` option to the JSON parser - Implementing rate limiting at the application or reverse-proxy level - Rejecting unusually large requests before parsing - Using a reverse proxy (such as NGINX) to enforce maximum request body sizes
A security vulnerability was discovered for [gardenctl](https://github.com/gardener/gardenctl-v2) when it is used with non‑POSIX shells such as **[Fish](https://fishshell.com/)** and **[PowerShell](https://learn.microsoft.com/en-us/powershell/)**. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators, leading to arbitrary command execution on the operator's device. **Am I vulnerable?** This CVE affects all Gardener operators who use **gardenctl < v2.12.0** with non‑POSIX shells such as **[Fish](https://fishshell.com/)** and **[PowerShell](https://learn.microsoft.com/en-us/powershell/)**.
Road Town, British Virgin Islands, 11th December 2025, CyberNewsWire
This week’s cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and governments are racing to plug new holes while arguing over privacy and control. And researchers keep uncovering just how much of our digital life is still wide open. The new Threatsday Bulletin
Phishing campaign: Scammers sent over 40,000 spoofed SharePoint, DocuSign and e-sign emails to companies, hiding malicious links behind trusted redirect services.
An advanced persistent threat (APT) known as WIRTE has been attributed to attacks targeting government and diplomatic entities across the Middle East with a previously undocumented malware suite dubbed AshTag since 2020. Palo Alto Networks is tracking the activity cluster under the name Ashen Lepus. Artifacts uploaded to the VirusTotal platform show that the threat actor has trained its sights