A critical remote code execution vulnerability dubbed “React2Shell” (CVE-2025–55182) shook the JavaScript ecosystem in December 2025, achieving a perfect CVSS 10.0 severity score and enabling unauthenticated attackers to execute arbitrary code on servers running React Server Components. Within days, researchers probing the initial patches discovered two additional vulnerabilities, forcing the React team to release emergency updates twice in eight days. Wiz Research found 39% of cloud environments contained vulnerable React or Next.js instances, with active exploitation by state-sponsored threat groups beginning within 48 hours of disclosure.

The React Flight Protocol created a massive attack surface

The React Flight Protocol is React’s custom serialization format for transferring component trees and data between server and client in React Server Components architecture. Operating as an RPC-over-HTTP mechanism, it packages data into numbered “chunks” using special prefixes $@ for raw chunk references, $B for blob data, $F for function references that the server reassembles to process requests.

The vulnerability exploited a fundamental flaw in how Flight deserializes incoming data. Within the reviveModel function in ReactFlightReplyServer.js, the code used value.hasOwnProperty(i) to check object properties. This seemingly innocuous pattern performs a method lookup on untrusted user input, allowing attackers to shadow the property with malicious references and traverse JavaScript's prototype chain to access the Function constructor, the gateway to arbitrary code execution.

The protocol’s design created multiple security problems: it implicitly trusted that clients would never send malicious structures, expanded object properties without sufficient validation, and processed payloads before any authentication or routing logic could intervene. Standard create-next-app deployments were immediately exploitable with nothing more than network access.

How React2Shell achieves remote code execution

The exploit chains vulnerabilities across four stages to transform a malformed HTTP request into server-side code execution. First, the attacker creates a self-reference loop using the $@ prefix, which returns the raw chunk object rather than its value. This enables access to internal React objects that should remain inaccessible.

Second, the attack hijacks JavaScript’s Promise resolution mechanism. By pointing an object’s then property to React's internal Chunk.prototype.then, the attacker tricks JavaScript's await behavior into calling React's initializeModelChunk() function with attacker-controlled data.

Third, setting status: "resolved_model" causes React to parse the .value field as trusted data. Finally, the $B prefix triggers React's blob handler, which calls .get() on a controlled object. By pointing _formData.get to the Function constructor and _prefix to malicious code, the attacker achieves arbitrary execution:

Function("require('child_process'). execSync('id');//0")()

Critical misconception: Early reports suggested blocking __proto__ in WAF rules would mitigate the attack. Trend Micro demonstrated this is false, the minimum viable payload uses $1:then:constructor to access the Function constructor without any prototype pollution. This path traverses from chunk 1 to its then property (a function), then to that function's constructor (the Function constructor itself).

Two additional vulnerabilities emerged from patch analysis

Security researchers scrutinizing the December 3rd patches discovered two additional vulnerabilities, disclosed on December 11, 2025:

CVE-2025–55184 (Denial of Service, CVSS 7.5): A crafted HTTP request can trigger an infinite loop that hangs the server process and consumes CPU, preventing all future requests. Notably, applications are vulnerable even without implementing Server Function endpoints, the mere presence of React Server Components support creates the attack surface. RyotaK from GMO Flatt Security discovered this vulnerability.

CVE-2025–55183 (Source Code Exposure, CVSS 5.3): A malicious request can force Server Functions to return the compiled source code of other Server Functions, exposing business logic and any hardcoded secrets. Runtime environment variables like process.env.SECRET remain protected. Andrew MacPherson discovered this issue.

CVE-2025–67779 (Denial of Service, CVSS 7.5): An incomplete fix for CVE-2025–55184, discovered by Shinsaku Nomura on the same day patches released, meaning organizations that upgraded to versions 19.0.2, 19.1.3, or 19.2.2 remained vulnerable and needed to upgrade again immediately.

The React team acknowledged this pattern, noting: “When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques.” They cited Log4Shell as a precedent where multiple CVEs followed the initial disclosure.

Version matrix reveals complex patching requirements

The affected versions span React 19.x and multiple Next.js release lines. For CVE-2025–55182 (RCE), vulnerable packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.

React Patch Versions:

• React 19.0.x → RCE Patch: 19.0.1 → Full Patch: 19.0.3
• React 19.1.x → RCE Patch: 19.1.2 → Full Patch: 19.1.4
• React 19.2.x → RCE Patch: 19.2.1 → Full Patch: 19.2.3

Next.js patched versions require attention to the specific release line:

Next.js Fully Patched Versions:

• 13.3.x — 14.x → 14.2.35
• 15.0.x → 15.0.7
• 15.1.x → 15.1.11
• 15.2.x → 15.2.8
• 15.3.x → 15.3.8
• 15.4.x → 15.4.10
• 15.5.x → 15.5.9
• 16.0.x → 16.0.10

Applications not affected include: Next.js Pages Router applications, Edge Runtime deployments (which use V8 isolates without Node.js APIs), apps without server components, and React Native (unless using affected packages in a monorepo).

Active exploitation began within hours of disclosure

The exploitation timeline demonstrates how rapidly threat actors weaponized CVE-2025–55182. First in-the-wild exploitation was observed the same day as disclosure (December 3rd). By December 5th, Trend Micro observed multiple malware campaigns: Cobalt Strike beacons with CrossC2-generated payloads, a Mirai variant calling itself “reactOnMynuts,” Sliver C&C implants accompanied by KINSING cryptominers, and a novel “Secret-Hunter” payload that deploys TruffleHog and Gitleaks to harvest credentials from compromised servers.

AWS threat intelligence identified China-nexus groups including Earth Lamia (targeting financial services, logistics, and government across Latin America, Middle East, and Southeast Asia) and Jackpot Panda (focusing on East and Southeast Asia). AWS MadPot honeypots recorded 116 exploitation requests from a single IP over 52 minutes, showing active debugging and refinement of techniques. Datadog observed over 800 unique IP addresses scanning for vulnerable instances.

CISA added CVE-2025–55182 to the Known Exploited Vulnerabilities catalog on December 6th, requiring federal agencies to patch within tight deadlines.

The fix restructures property checking at the protocol level

The core fix, authored by Sebastian Markbåge, addresses the property traversal attack by caching a reference to the original hasOwnProperty method at module load time, then using .call() syntax for invocation:

// VULNERABLE: method lookup on untrusted object
value.hasOwnProperty(i)

// FIXED: uses original prototype method
hasOwnProperty.call(value, i)

This prevents attackers from shadowing hasOwnProperty because the reference is captured before any untrusted data is processed. Additional defense-in-depth measures include explicit __proto__ handling, a Server Module Map Proxy returning undefined for prototype keys, AES-256-GCM encryption for Server Action bound arguments, and use of ES6 collections (Map, WeakMap) for internal storage that are immune to prototype pollution.

Remediation requires multiple actions beyond patching

The React team and Vercel issued specific guidance for affected organizations. The immediate priority is upgrading to the December 11th patch versions, not the December 3rd versions, which remain vulnerable to DoS and source code exposure.

Vercel’s advisory states explicitly: “If your application was online and unpatched as of December 4th, 2025 at 1:00 PM PT, we strongly encourage you to rotate any secrets it uses, starting with your most critical ones.” For CVE-2025–55183 specifically, secrets hardcoded in source code should be rotated immediately, though runtime environment variables accessed via process.env were not exposed.

Organizations should not rely solely on WAF mitigations. While Vercel, Akamai, and other providers deployed blocking rules, these cannot catch all payload variants, particularly those avoiding __proto__ in favor of $1:then:constructor paths. Enable deployment protection on preview environments, audit shareable deployment links, and implement detection rules looking for Next-Action headers combined with $@ patterns, resolved_model strings, or _formData.get in request bodies.

Conclusion

The React2Shell vulnerability represents one of the most severe security incidents in JavaScript framework history, combining maximum severity (CVSS 10.0), pre-authentication exploitation, and broad ecosystem impact. The subsequent discovery of two additional vulnerabilities during patch analysis demonstrates the depth of security debt accumulated in the React Flight Protocol’s design. Organizations running React Server Components should treat December 11th patch versions as mandatory, assume compromise if unpatched before December 4th, and implement comprehensive monitoring for the specific attack patterns that signature-based WAF rules may miss. The incident underscores that serialization protocols handling untrusted input require rigorous security review, a lesson the industry has learned repeatedly from vulnerabilities like Log4Shell and Java deserialization attacks.

Step 1: Set Up Your External Survey

In the Question Design phase while creating your survey, select the “External Survey” tab.

Step 2: Link Your Qualtrics Survey

Copy the Qualtrics survey link and paste it into the first input field on the External Survey tab in Dasesa.

Step 3: Choose Your ID Recording Method

Choose the option to record Dasesa user IDs if you plan to approve or decline responses. If you don’t need to approve all responses, select the “I don’t need to record these” option.

• Manual Entry: If you select “I’ll add a question in my study,” modify your Qualtrics survey to include a mandatory question asking for the Dasesa user ID. Participants will manually enter their IDs.
• Automatic Entry: If you choose “I’ll use URL parameters,” Dasesa IDs will be recorded automatically via URL parameters. You can retrieve these IDs from the query string in the study URL on Dasesa, meaning participants won’t need to manually input their IDs into Qualtrics. This process uses Qualtrics’ “Embedded Data” feature.

Step 4: Set Up Embedded Data in Qualtrics

1. Add a block to your survey named “Dasesa ID” and create a “Text Entry” question.
2. Ensure that the IDs are recorded in your data set. Navigate to “Survey Flow” and add an “Embedded Data” element at the beginning of your study. Enter “dasesa_id” into the embedded data field.
3. Go to the survey item that records the participant’s Dasesa ID, right-click on the text-entry field, and select “Default Choices.”
4. In the window that opens, click the blue drop-down arrow to the right of the text-entry box, and choose “Embedded Data Field.” Either enter “dasesa_id” manually or select it from the drop-down menu. This will create a string called ${e://Field/dasesa_id}. Click "Save," and you're done!

Final Step: Review the Dasesa ID Question

Your question for the participant’s Dasesa ID should now look something like this:

In this blog, we’ll explore an automated approach to migrate Firestore data between projects, streamlining the entire process for you.

First, begin by creating a new project where you intend to duplicate the existing Firebase Firestore data. For example, in this walkthrough, I’ll demonstrate creating a copy of the “Flowius Survey Dev” project as a “Flowius Survey Dev Copy” Firebase project.

Afterward, proceed to create an app that will establish a connection to your web application.

Next, click on ‘Continue to the Console.’ At this point, you should be able to see both projects listed in your Firebase console.

Then, proceed to create a database within your new Firebase project.

At this stage, you should observe an empty database in your Firebase project.

Next, navigate to ‘Project Settings’ and then to ‘Service Accounts,’ where you can generate a new private key.

Similarly, generate a new private key for your existing project from which you intend to export data.

At this point, you should have two JSON files downloaded.

Now, create an empty JSON file named ‘backup.json.’ Afterward, navigate to the folder where these three files exist using your terminal or command prompt.

Then, execute the following commands to export data from the primary Firestore and import it into the new Firestore:

1. Export data from the primary Firestore:

npx -p node-firestore-import-export firestore-export -a [primary-firestore-private-key.json] -b backup.json

2. Import data into the new Firestore:

npx -p node-firestore-import-export firestore-import -a [new-firestore-private-key.json] -b backup.json

Replace [primary-firestore-private-key.json] with the private key JSON file for the main Firestore, and [new-firestore-private-key.json] with the private key JSON file for the new Firestore.

By now, your Firestore project data should be successfully migrated from the primary project to the new one. This automated process can save you time and effort, ensuring a seamless transition of your data between Firebase projects. Happy coding and managing your Firebase Firestore databases efficiently.

If you prefer visual guidance, feel free to watch this helpful video tutorial: Link. The video provides a step-by-step demonstration of the entire Firebase Firestore data migration process outlined in this blog. Visual aids can further enhance your understanding and implementation. Happy migrating!

In a recent episode of The Jordan B. Peterson Podcast, renowned psychologist and author Dr. Jordan B. Peterson engaged in a riveting discussion with economist Peter Schiff. The focal point of this conversation was the precarious state of the US Dollar and the potential impending collapse. Schiff delved into various aspects, shedding light on the gold standard, the vulnerabilities of the fiat system, inflation, and the deceptions perpetuated by politicians.

1. Inflation and Government Practices:
A prominent topic of discussion was the creation of inflation by governments through the excessive printing of money for self-serving interests, often bypassing the need for taxation. This reckless practice sets off a vicious cycle, where the increased money supply exceeds the growth of products, resulting in a surge in consumer prices.

2. CPI Manipulation:
Schiff highlighted the dubious role of the Consumer Price Index (CPI), often manipulated to downplay the true inflation rate for political reasons. This manipulation masks the severity of inflation, presenting a distorted picture to the public.

3. Debtors and Inflation:
The discussion also emphasized how debtors stand to gain from inflation, with governments being the primary debtors in today’s economic landscape. Inflation allows them to repay their debt with devalued money, essentially reducing their financial burden.

4. Safeguarding Wealth:
Schiff proposed a strategy to protect one’s savings from the detrimental effects of inflation: investing in assets like gold. Historically, gold has proven to retain its value and act as a hedge against economic volatility.

**5. The Future of Currency:**
Looking ahead, Schiff suggested that gold-backed cryptocurrencies could represent the future of currency. Combining the stability of gold with the advantages of blockchain technology, these currencies offer a potential solution to the vulnerabilities of fiat money.

In conclusion, the podcast presented a thought-provoking analysis of the current economic landscape, urging listeners to critically assess the prevailing financial system. It serves as an eye-opener, prompting a reevaluation of traditional beliefs about money and the need for alternative solutions. For those intrigued by the future of currency and concerned about the stability of the US Dollar, this podcast is highly recommended.

To listen to the full podcast, click here

It’s because your organization’s membership visibility is set to private.

Steps to Publicize or Hide Organization Membership:

1. In the top right corner of GitHub.com, click on your profile photo, then select “Your organizations.”

2. Click the name of your organization.

3. Under your organization name, click “People.”

4. Locate your username in the list of members. If the list is large, you can use the search box to find your username.

5 ext to your username, select the visibility dropdown menu, then choose a new visibility:

• To publicize your membership, select “Public.”
• To hide your membership, select “Private.”

For more information, you can visit the GitHub documentation on managing organization membership visibility.

Chapter 1: Introduction

1.1 Contrast Principle

In the captivating opening chapter of “Influence,” Robert B. Cialdini delves into the fascinating concept of the contrast principle. This psychological phenomenon affects the way we perceive the difference between two consecutive items presented to us. When the second item differs significantly from the first, our minds tend to exaggerate the contrast, making the second item appear more distinct than it actually is. Cialdini illustrates this point with a simple example: lifting a light object first and then lifting a heavy one. The contrast created by the difference in weight leads us to overestimate the heaviness of the second object compared to lifting it in isolation.

The contrast principle extends beyond physical sensations like weight perception and finds its place in various aspects of human perception. From aesthetic judgments to social interactions, this principle plays a role in shaping our perceptions. For instance, in a social setting, if we engage in conversation with a stunningly attractive individual and are then joined by someone less attractive, our minds will subconsciously downgrade the attractiveness of the second person relative to the first.

Cialdini artfully explains how the contrast principle, rooted in psychophysics, has far-reaching implications in understanding the intricacies of human behavior and persuasion. By skillfully incorporating real-life examples and experiments, the author enriches the reader’s understanding of this intriguing concept.

Reader’s Report

In an emotionally charged letter from a college coed, Cialdini demonstrates the power of the contrast principle in a humorous yet thought-provoking manner. Through a fictional account of a student’s escapades, the author highlights how our expectations and perceptions can be influenced when contrasting elements are presented. The letter initially shocks the recipient (the parents) with exaggeratedly dire circumstances, only to reveal in the end that the reality is far less extreme and much more mundane — focusing on academic struggles rather than life-threatening incidents.

This anecdote serves as an amusing example of how the human mind can be swayed by contrasting information, and it reinforces the relevance of the contrast principle in understanding the subtleties of communication and persuasion in our daily lives.

Dear Mother and Dad:

Since I left for college I have been remiss in writing and I am sorry for my thoughtlessness in not having written before. I will bring you up to date now, but before you read on, please sit down. You are not to read any further unless you are sitting down, okay? Well, then, I am getting along pretty well now. The skull fracture and the concussion I got when I jumped out the window of my dormitory when it caught on fire shortly after my arrival here is pretty well healed now. I only spent two weeks in the hospital and now I can see almost normally and only get those sick headaches once a day. Fortunately, the fire in the dormitory, and my jump, was witnessed by an attendant at the gas station near the dorm, and he was the one who called the Fire Department and the ambulance. He also visited me in the hospital and since I had nowhere to live because of the burntout dormitory, he was kind enough to invite me to share his apartment with him. It’s really a basement room, but it’s kind of cute. He is a very fine boy and we have fallen deeply in love and are planning to get married. We haven’t got the exact date yet, but it will be before my pregnancy begins to show. Yes, Mother and Dad, I am pregnant. I know how much you are looking forward to being grandparents and I know you will welcome the baby and give it the same love and devotion and tender care you gave me when I was a child. The reason for the delay in our marriage is that my boyfriend has a minor infection which prevents us from passing our pre-marital blood tests and I carelessly caught it from him. Now that I have brought you up to date, I want to tell you that there was no dormitory fire, I did not have a concussion or skull fracture, I was not in the hospital, I am not pregnant, I am not engaged, I am not infected, and there is no boyfriend. However, I am getting a “D” in American History, and an “F” in Chemistry and I want you to see those marks in their proper perspective.

Your loving daughter

Stay tuned for more intriguing insights and psychological revelations as we delve deeper into the world of “Influence” by Robert B. Cialdini.

chapter 2 To be continued…

Introduction: Managing different modes, such as development, testing, and production, is crucial when working on Firestore projects. It allows developers to use distinct secrets without modifying the code, ensuring a smooth transition between environments. In this blog post, we’ll explore a procedure to automate development and production modes using environment variables and provide step-by-step instructions on how to implement it.

Step 1: Creating the .env File The first step is to create a .env file that will store the secrets for different modes. This file will be used to load environment variables into the application.

Step 2: Determining the Application Mode To identify whether the application is running in development, testing, or production mode, we can leverage the NODE_ENV environment variable. This variable is automatically set to 'development' when using npm start, 'test' when using npm test, and 'production' when generating a production bundle using npm run build.

By accessing the process.env.NODE_ENV variable within our application, we can conditionally handle different configurations based on the current mode.

Step 3: Dynamically Changing Firebase Configurations Next, we need to update the Firebase configuration dynamically based on the application mode. By modifying the Firebase config secret values, we ensure that each mode uses the appropriate configuration without modifying the source code.

For example, you can refer to the firebase-new-config.js file in the simulated project provided in the resources section. This file demonstrates how the Firebase configuration can be adjusted based on the environment variables.

Step 4: Testing in Different Modes To validate the effectiveness of our automated workflow, it’s essential to conduct tests in both development and production modes.

For development mode testing, run the command yarn start and observe the mode in which the application is running. Verify that the appropriate secrets are loaded based on the .env file.

For production mode testing, you can utilize the “serve” tool to locally host the application. Follow these steps:

1. Install the “serve” tool globally using the command: sudo yarn global add serve.
2. Build the application using yarn build.
3. Start the local server with the command: serve -s build -l 3003.

This will host the application on the specified port, allowing you to test it as if it were running in a production environment. Ensure that the production secrets are correctly loaded and that the application functions as expected.

Conclusion: Automating development and production modes in Firestore projects streamlines the workflow for developers by enabling them to use different secrets without modifying the code. By utilizing environment variables and dynamically adjusting configurations based on the application mode, developers can seamlessly transition between different environments.

To see a practical implementation of this procedure, refer to the repository provided in the resources section. Feel free to explore the code and test it yourself to gain a better understanding of how to automate development and production modes in your Firestore projects.

By following this procedure, you can enhance the security and efficiency of your development process while ensuring that your Firestore applications function seamlessly across different environments.

For an illustration of how to implement the procedure described above using a Vite React app, you can refer to my repository at https://github.com/danibog/firebase-migration-vite.

Feel free to visit my GitHub account for more related projects and resources.

The Pop Store Installation Issue:
When attempting to install VS Code from the Pop Store on Linux, some users may encounter a problem where the “code” command is not recognized in the terminal. This error message can be frustrating, especially if you’re eager to start coding. However, there is a solution to this issue that involves installing VS Code from the official Visual Studio Code website for Ubuntu.

Troubleshooting Steps:
To resolve the problem and ensure a smooth installation of VS Code on Linux, follow the steps outlined below:

1. Uninstall the existing VS Code:
If you have previously installed VS Code from the Pop Store, it’s essential to remove it before proceeding with the official installation. Run the following command in the terminal:

sudo apt remove code

or just remove vs code manualy.

2. Downloading VS Code from the official website:
Open your web browser and visit the official Visual Studio Code website for Linux (https://code.visualstudio.com/Download). Make sure to select the appropriate package for Ubuntu. Once the download is complete, proceed to the next step.

Conclusion:
Installing software from alternative sources, such as the Pop Store, can sometimes lead to unexpected issues. In the case of Visual Studio Code, encountering the “code is not a known command” error message can be resolved by following the troubleshooting steps outlined in this article. By downloading and installing VS Code from the official website for Ubuntu, users can ensure a seamless installation experience and enjoy the full range of features offered by this popular code editor. Happy coding!

The year 2020 was one of great upheaval and social unrest, marked by a global pandemic, racial tensions, and political turmoil. Many people were left feeling overwhelmed and helpless in the face of these challenges, struggling to cope with the difficult circumstances of their lives. It was during this time that musician and composer Jon Batiste released his song “Cry,” a soulful and emotionally charged piece that spoke directly to the pain and frustration felt by so many.

The song begins with the lyrics, “Who do you love? Who you gonna love? Who do you love when push comes to shove?” These lines set the tone for the rest of the song, as Batiste explores the difficulties of love and the need to fight for what is right, even in the face of adversity. He sings about the struggles of immigrants, the wrongful imprisonment of innocent people, and the loss of innocence, all while acknowledging the deep pain and sadness that these experiences can cause.

Yet, despite the heaviness of these themes, there is also a sense of hope and resilience in the song. Batiste acknowledges that crying can be a cathartic release for those who are struggling, but he also suggests that it is not enough to simply cry and feel sad. Instead, he encourages listeners to take action and fight for what is right, to stand up for those oppressed, and to work towards creating a better world.

In many ways, “Cry” is a reflection of the difficult times in which it was released. It speaks to the pain and frustration so many people feel while offering a message of hope and empowerment. It is a call to action for those who are struggling, a reminder that even in the darkest of times, there is always something that can be done to make things better.

For Batiste, “Cry” is more than just a song; it is a powerful expression of the human experience. It speaks to the complexities of love and the challenges of fighting for justice, while also acknowledging the power of vulnerability and emotional release. It is a song that invites listeners to connect with their own pain and frustration, while also inspiring them to take action and create positive change in their own lives and communities.

In the end, “Cry” is a testament to the power of music to heal, inspire, and to connect us all. It is a reminder that even in the most difficult of times, we are never truly alone, and that there is always hope for a brighter tomorrow.

return <div className={panelHeadingClassName}>
    <h3 className={style.panelTitle}>
        <i className={iconStyle[iconClass]}></i>
        {title}
        <small className={style.panelSubTitle}>{subTitle}</small>
    </h3>
</div>

I get the following when I use option + shift + F to format:

return <div className = {
  panelHeadingClassName
} >
<
h3 className = {
  style.panelTitle
} >
<
i className = {
  iconStyle[iconClass]
} > < /i> {
  title
} <
small className = {
  style.panelSubTitle
} > {
  subTitle
} < /small> <
/h3> <
/div>

Prettier is not the issue; the issue is with the language that we configured prettier to use to prepare our code.
To correct it, click the language choice in the lower right corner of the VS Code Editor.

Check me out on github if you need more information, and please let me know if I was able to help you.

https://github.com/danibog