Risky Business Risky Business #818 -- React2Shell is a fun one
33 snips
Dec 10, 2025 Adam Boileau, a seasoned cybersecurity commentator, joins Simon Onyons, Managing Director at Kroll's Cyber and Data Resilience, to tackle the latest in cybersecurity. They dive into the alarming React2Shell vulnerability—scoring a CVSS 10—that's quickly exploited by Chinese APTs. Simon shares insights on demystifying cyber risk for boards and how to communicate it effectively. The episode also touches on Linux's PCIe encryption support and a controversial GrapheneOS case, illustrating the ongoing battle between security and exploitation.
AI Snips
Chapters
Transcript
Episode notes
Server-Side React Expands Attack Surface
- React Server Components blur client/server boundaries and introduce new attack surface via serialized objects between client and server.
- The React2Shell deserialization flaw let attackers craft objects that execute code during dependency resolution, causing CVSS 10 remote code execution.
Isolate And Limit Server Component Privileges
- Consider isolating React server components with strict sandboxing and minimal privileges to limit blast radius from RCE bugs.
- Use containerization, strict data access controls and anomaly detection around these components to reduce impact.
Fast JS Ecosystem Helps Patching
- Rapid JS ecosystem updates mean many teams already practice frequent rebuilds and redeploys, which can speed patch uptake.
- That reduces the long-tail patching problem seen with legacy Java/PHP vulnerabilities like Log4j.