A maximum severity vulnerability (CVSS 10) was discovered in React, one of the most popular JavaScript frameworks. If your app supports React Server Components, you are likely vulnerable out of the box, even if you aren’t using Server Functions explicitly. Patch immediately.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding React2Shell, a critical vulnerability in React Server Components.FAQWhat is the React Server Component (RSC) vulnerability?On December 3, 2025, the React Team published a blog post regarding a critical vulnerability affecting React Server Components.What is the vulnerability that was disclosed to the React Team?The React Team confirmed the presence of one critical vulnerability:CVEDescriptionCVSSv3CVE-2025-55182React Server Components Remote Code Execution Vulnerability10.0This vulnerability was disclosed to the React Team by Lachlan Davidson on November 29, 2025.What is CVE-2025-55182?CVE-2025-55182 is an unsafe deserialization vulnerability in RSC. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted payload to a vulnerable React Server Function endpoint. Successful exploitation could result in remote code execution on the server.Are we still vulnerable if our app doesn’t use React Server Functions endpoints?Potentially. According to the React Team, even if React Server Functions are not in-use, the vulnerability is still

Have you ever wondered how mobile apps always seem to recognize you, even when you’ve never created an account or provided your email? That experience isn’t magic; it’s often the result of mobile app fingerprinting and other invisible tracking techniques. For mobile app developers, AppSec leaders and enterprise mobility managers, this capability poses more than […] The post Inside Mobile App Fingerprinting: What Your Apps Know About You appeared first on NowSecure.