#cve

#cve

In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server Function source code, so anyone using RSC or frameworks that support it should patch quickly. The latest vulnerabilities - two high-severity denial-of-service bugs tracked as CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5), and a source-code exposure flaw tracked as CVE-2025-55183 (CVSS 5.3) - were found by security researchers attempting to poke holes in the patch for the earlier maximum-severity React flaw that is under active exploitation.

His analysis cites academic research published in August as part of the USENIX Security Symposium. The paper, "Confusing Value with Enumeration: Studying the Use of CVEs in Academia," (Moritz Schloegel et al.), reports that 34 percent of 1,803 CVEs cited in research papers over the past five years either have not been publicly confirmed or have been disputed by maintainers of the supposedly vulnerable software projects. The authors argue that CVEs should not be taken as a proxy for the real-world impact of claimed vulnerabilities.

Spooky season is in full swing, and this extends to Microsoft's October Patch Tuesday with security updates for a frightful 175 Microsoft vulnerabilities, plus an additional 21 non-Microsoft CVEs. And even scarier than the sheer number of bugs: three are listed as under attack, with three others publicly known, and 17 deemed critical security holes. Let's start with the flaws that attackers already found and exploited before Redmond pushed patches.

iOS 26 and iPadOS 26 were released for the latest generation iPhone and iPad devices with fixes for 27 unique CVEs that could lead to memory corruption, information disclosure, crashes, and sandbox escapes. WebKit received the largest number of fixes, at five, for security defects that could lead to process crashes, Safari crashes, or could allow websites to access sensor information without consent.

The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6) by the chipmaker back in June 2025.

The number of CVE reports is projected to exceed 40,000 in 2025, with an average of 131 reports per day observed in early 2025.

Adobe's June 2025 updates address 254 CVEs across multiple products, prioritizing those in Commerce and introducing a substantial fix for Experience Manager, despite no known exploits.

"Dependence on the largesse of a single, and now volatile, government48;that's a serious flaw. The CVE funding fiasco is a wake-up call for the industry."