January “In the Trend of VM” (#23): vulnerabilities in Windows, React and MongoDB. Traditional monthly roundup of trending vulnerabilities. Launching the 2026 season. 🙂
🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)
In total, three vulnerabilities:
🔻 EoP – Windows Cloud Files Mini Filter Driver (CVE-2025-62221)
🔻 RCE – React Server Components “React2Shell” (CVE-2025-55182)
🔻 InfDisc – MongoDB “MongoBleed” (CVE-2025-14847)
About Remote Code Execution – React Server Components “React2Shell” (CVE-2025-55182) vulnerability. React is a popular open-source JavaScript framework; to improve application performance, it allows part of the logic to be executed on the server via React Server Components (RSC). By exploiting insecure deserialization in RSC, an unauthenticated attacker can achieve server-side code execution via a crafted HTTP request.
⚙️ React fixes were released on December 3. Other frameworks that embed React are also vulnerable, including Next.js, React Router, Expo, Redwood SDK, Waku, and others.
🛠 Public exploits have been available since December 3; by December 19, GitHub hosted 250+ exploit and scanner projects. 😮
👾 Attacks are widespread and have been observed since December 5; listed in CISA KEV Dec 9.
🌐 Shadowserver reports 100k+ vulnerable hosts; RuNet estimates range from 10k to 40k+. 🤔
Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0. Vulners Team released today the second version of their Web Vulnerability Scanning plugin for Google Chrome browser. You can read my description of the version 1.0 at “Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome“.
Killing feature of Vulners web scanner v. 2.0 is that you can now see all vulnerabilities on all scanned sites in a single window. You don’t need to checks all Google Chrome tabs manually.
Moreover, if some sites make request to other servers, for example googleapis.com, these servers will be checked automatically.
The plugin was fully refactored and now it is React driven. It works faster, analysis more data sources and detects vulnerabilities more accurately.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.