This week is about the React2Shell CVE. An exploit so big Cloudflare pushed emergency WAF rules causing Shopify, Zoom and others to go down. React2Shell was so widespread fixing it literally broke production at scale.
The severity of React2Shell and its aftermath is obviously this week's top story and rightfuly so.
React2Shell already has everything it needs to get fixed. Nation-state exploitation. CISA KEV entry. Media coverage. Executive attention. Most organizations will patch this within days.
But here's an interesting question we've been thinking about. Does that make us safer long-term?
As Pixee's own staff software engineer Ryan Dens observed this week: "React2Shell will absorb massive resources precisely because it can't be ignored. But we have infinite CVEs and finite attention."
For us the most exciting question in AppSec is how to deploy AI to solve the problem of triaging thousands of vulnerabilities to find the few that are actually exploitable in your architecture. (That's the core of our new SCA product BTW).
Anyway, while we keep exploring React2Shell below, this week also saw Anthropic acquire Bun and interesting new CISO data published in a new Wiz report, both of which are worth your time.
CVE-2025-55182 earned its CVSS 10.0 rating through textbook deserialization: unsafe Flight protocol decoding in React Server Components enabled unauthenticated RCE. Within hours of disclosure, China-nexus threat actors weaponized it for credential harvesting and backdoor deployment. North Korean groups followed with EtherRAT campaigns. 77,000+ vulnerable IP addresses were identified within 72 hours. CISA added the CVE to its Known Exploited Vulnerabilities catalog with confirmed wild exploitation.
If you want to ground React2Shell in a historical/technical understanding, Pixee's CTO Arshan Dabirsiaghi's analysis looks at how React2Shell repeats the Struts pattern. As a reminder, throughout the 2010s, Struts embedded the OGNL expression language throughout its framework with minimal safeguards. User-controlled data repeatedly reached code execution paths culminating in the Equifax breach.
React2Shell follows the same architectural pattern: Flight protocol creates "a mini-serialization language" where crafted payloads can reach code execution paths.
Arshan's main takeaway is that whenever powerful interpreters or serialization protocols hide behind the scenes supporting developer ergonomics, history suggests eventual remote code execution.
React2Shell is a major event. Fortunately many organizations already possess the infrastructure to handle React2Shell. The question is whether the next architectural vulnerability class gets the same treatment before it has a name and a media cycle.
Switching gears, this week saw the publication of Wiz's 2025 benchmark study featuring survey data from over 300 CISOs.
It wasn't surprising to see 85% of CISOs report budgets keep rising, cloud programs keep expanding, and that increasing automation and improving visibility is a top priority for literally everyone (99%).
Another call-out is tool sprawl. 58% of orgs report running more than 25 tools, 28% operate 50+, and "an unlucky 13%" have more than 100." Predictably tool sprawl, complexity, and the time/effort of managing existing tools are cited as significant inhibitors to effective security.
Here's the link to download the full report behind their paywall.
In AppSec, 54% of us expect a moderate budget increase, 16% a significant increase, and only 4.1% any sort of decrease at all. The question is, how do you maximize ROI and prove AI-enabled productivity gains to meet board mandates?
Three signals this week marked another threshold in the march of AI coding tools towards becoming core infrastructure.
• Anthropic acquired Bun to accelerate Claude Code as production-ready infrastructure
• The Linux Foundation formed the Agentic AI Foundation with Anthropic, OpenAI, and Block as founding members
• Microsoft's December Patch Tuesday explicitly addressed AI coding tool vulnerabilities alongside its 57 other flaws
Another example of the need for security here: The GeminiJack vulnerability demonstrated that enterprise AI coding assistants are vulnerable to indirect prompt injection via documents and code comments. Google responded by deploying a second AI model to monitor Gemini agents for prompt injection attacks.
The importance of security policies related to AI isn't going anywhere.
Actively Exploited:
• CVE-2025-55182 (React Server Components) CVSS 10.0 deserialization vulnerability enabling unauthenticated RCE Status: Actively exploited by nation-state actors, Patch Available Source
• Microsoft zero-days (3) (Windows) Critical Windows vulnerabilities including 1 actively exploited Status: Actively Exploited, Patch Available (December 2025 Patch Tuesday) Source
Critical/High Severity:
• CVE-2025-66516 (Apache Tika) CVSS 10.0 XXE vulnerability in document parsing library Status: Patch Available Source
• Ivanti Endpoint Manager (Ivanti) Critical code execution flaw in endpoint management platform Status: Patch Available Source
Monthly totals: Microsoft patched 57 vulnerabilities. Adobe patched nearly 140. SAP addressed 3 critical vulnerabilities.
Thought-Provoking:
• CISOs Are Spending Big and Still Losing Ground Why it's worth your time: Wiz benchmark data from 300+ CISOs showing security budgets rising while risk reduction stalls. The disconnect between investment and outcomes is the story of 2025.
• React2Shell Repeats the Struts Pattern Why it's worth your time: Pixee CTO Arshan Dabirsiaghi's analysis of how React2Shell follows the same architectural vulnerability pattern that led to the Equifax breach.
• Anthropic Acquires Bun to Accelerate AI Coding Tools Why it's worth your time: AI coding assistants transitioning from experimental features to production infrastructure. The acquisition signals where the market is heading.
Current Events:
• React2Shell (CVE-2025-55182) Technical Analysis Why it's worth your time: The CVSS 10.0 deserialization vulnerability in React Server Components that nation-state actors weaponized within hours.
• Cloudflare Outage Caused by React2Shell Mitigations Why it's worth your time: The emergency patch itself caused a global outage affecting Shopify and Zoom. When the fix breaks production at scale.
• Microsoft Patch Tuesday December 2025 Edition Why it's worth your time: 57 vulnerabilities including 3 zero-days and AI coding tool flaws addressed in this month's update.
• GeminiJack: Indirect Prompt Injection Targets Google Gemini Enterprise Why it's worth your time: Enterprise AI coding assistants vulnerable to prompt injection via documents and code comments. Google deployed a second AI to watch the first.