Security Now #1055: "React's Perfect 10"
Date: December 10, 2025
Hosts: Steve Gibson & Leo Laporte
Episode Overview
This week on Security Now, Steve Gibson and Leo Laporte dissect one of the most critical server vulnerabilities in years—a "perfect 10" exploit in React, discuss seismic changes in tech regulation (notably in India, France, and the EU), AI's impact on computer hardware markets, Steve’s release of his new DNS Benchmark v2, and trends in legislative intervention in digital privacy. The episode blends cautionary tales, technical deep-dives, and reflections on the changing landscape of tech security and public policy.
Key Topics and Insights
1. The “React’s Perfect 10” Vulnerability
A catastrophic security flaw has been discovered in React Server Components, reaching the highest possible CVSS score of 10.0. Attackers can remotely execute code on unpatched servers—unauthenticated, with minimal effort. Major platforms (Next.js, Vite, Redwood) are affected.
- Nature of Bug: Unsafe deserialization lets malicious payloads execute privileged JavaScript code server-side.
- Scope: Affects React versions 19.0.1, 19.1.2, 19.2.1—tied to this year’s releases. Next.js, React Router, and more are impacted.
- Exploitation: Public exploits available within 48 hours; active attacks observed (notably by China-based threat actors, hours after disclosure).
- Mitigation: Emergency patches were released; cloud providers (Cloudflare, AWS) rushed WAF updates—occasionally causing brief outages.
- Industry Reflection: The friction between performance and security, especially when logic is pushed closer to sensitive data for speed.
- Long-term Impact: Unpatched servers will remain targets for ransomware and data theft.
Notable Quotes:
- “It would allow said attacker to remotely supply whatever code they would wish any such server to execute... a critical, unauthenticated, low-complexity remote code execution vulnerability.” —Steve Gibson [133:08]
- “I usually don't say this but patch right freaking now. The React CVE listing is a perfect 10.” —(industry researcher, quoted by Steve) [137:20]
- “This is going to haunt the developer ecosystem for some time, due to its ease of exploitation... and React’s popularity.” —Steve Gibson [154:34]
Timestamps:
- [128:28] The worst possible code exploit—what makes it so bad
- [133:08] Detailed explanation of the React deserialization vulnerability
- [139:01] Scope of affected software and platforms
- [146:38] Shodan scan reveals >1M exposed servers
- [150:43] Cloudflare, AWS, and rapid emergency mitigations
- [153:45] State-sponsored threat actor activity observed
2. Government Regulation and Digital Sovereignty
A. India’s Attempted Mandates and Backpedal
- Original Order: India required all smartphone makers to pre-install (and back-port via updates) the Sanchar Sathi government app on all devices, for anti-theft and security “but also raising fresh privacy concerns.” [42:10]
- App’s Role: Tracks stolen devices, can block (disable) any phone centrally.
- Pushback: Apple refused participation; major privacy, surveillance, and competition concerns voiced by industry and policy groups.
- Result: India withdrew the mandatory app installation under mounting criticism and logistical impracticality [52:34].
- Additional Mandate: India will still require “SIM binding” for messaging apps—effectively tying end-to-end encrypted messaging access to a specific SIM, with 6-hour forced logouts on WhatsApp Web, Telegram, etc.
Notable Quote:
- “You can't go about restricting cybercrimes and device thefts in such a disproportionate and heavy-handed way.” —Tech Global Institute, quoted by Steve [49:06]
Timestamps:
- [41:37] Outlining India’s plans for smartphone and messaging control
- [52:34] Public backlash and India’s reversal
- [58:03] SIM binding and disruption to privacy/OTT messaging
B. France’s Regulatory Enforcement
- Vanity Fair France fined €750,000 for violating cookie consent regulations—after years of noncompliance despite warnings.
- Significance: Enforcement signals increased seriousness from EU privacy bodies (GDPR updates imminent; browser-level privacy controls on the horizon).
C. EU & Australia: Underage Social Media
- Australia: Social media ban for under-16s went into effect, enforced by requiring platforms to verify user ages (with up to $35 million fines for noncompliance).
- EU: Moving toward universal, privacy-preserving age verification tied to the forthcoming European Digital Wallet.
- Challenge: The primary burden is on social platforms; children easily circumvent age gates; it may take robust device-level crypto/identity solutions to resolve.
Notable Quote:
- “We do not want to have to be showing a driver's license individually to every website we visit.” —Steve, on the need for one-time, privacy-friendly device-based age proof [38:43]
Timestamps:
- [27:14] Australia’s social media age ban & global attention
- [34:20] Teens, circumvention, and the imminent mess
- [36:44] EU’s move toward privacy-centric age identity
3. Tech Market Trends: AI’s Ripple Effects
A. RAM Prices Skyrocket
- Micron exits consumer RAM market: AI data centers are buying up server RAM in such volumes that consumer and gaming RAM pricing is now “market price—see a sales associate.”
- Three-Month Price Increases: 32GB kits have tripled in price; 64GB $700–900.
- Industry Impact: Game consoles, GPUs, and consumer PCs bracing for hardware inflation. Large data centers are concentrating enormous computational capacity in small areas, straining electricity and infrastructure.
- Environmental Pushback: 200 organizations demand a halt to new data center construction in the US due to environmental and power grid impact.
Notable Quotes:
- "Stores are selling RAM at market prices like you'd pay for the catch of the day at a seafood restaurant." —Steve, reading from The Verge [75:49]
- "It does appear the desire to concentrate an unprecedented amount of computational capacity within a comparatively small space is causing trouble." —Steve Gibson [80:48]
4. Security Now’s DNS Benchmark v2 Launch
Steve announces the long-awaited DNS Benchmark v2—an exhaustive rewrite, now supporting IPv6, encrypted protocols (DoH, DoT), and more accurate statistical ranking. It is GRC’s first-ever paid, sub-$10 tool, with a perpetual license and no subscriptions.
- Motivation: Internet landscape has changed; old caching-centric benchmarks now mis-rank real-world performance.
- New Features:
- Measures cached/uncached/“.com” lookup speed
- Intelligent “sidelining” to skip underperforming resolvers
- Flexible benchmark repeats for statistical reliability
- Comprehensive pop-ups, IPv6/DoH/DoT support, per-round stats
- Distribution: $9.95, lifetime license, free updates.
- Runs on: Windows, under WINE on Mac (including ARM), and more.
Notable Quote:
- “You buy this once—I will never ask you for anything again for DNS Benchmark. All updates... included in the price. You own it for life.” —Steve [99:21]
Timestamps:
- [83:45] Steve introduces DNS Benchmark v2
- [91:07] Technical problem-solving and new ranking paradigm
- [99:21] No subscriptions, perpetual updates
5. Listener Feedback & Developer Notes
- Cisco Device Firmware Hoops: Difficulty in patching due to vendor policies locking firmware behind support contracts—compromising network security [107:43].
- Browsers and Local Network Security:
- Chrome 142’s “Local Network Access” permission, and the implication: Web scripting from public sites must now request explicit user approval to reach LAN devices (e.g., routers). Human nature is still the weak link—attackers will engineer convincing prompts for local access.
Notable Quotes:
- “We've also just saddled users with the new responsibility of determining what's benign and what's malicious. How is anyone really gonna know?” —Steve [123:40]
Notable Quotes & Moments
- "This is a perfect 10.0 vulnerability—attackers will feed on this for a long time." —Steve Gibson [01:37]
- "Apple says no, India says yes... then changes its mind. Who's in control today?" —Steve [02:27/52:34]
- "RAM is being sold like lobster. Whatever it costs today, that's the price." —Steve [02:27]
- "We needed a solution to the local network attack vector; now browsers will ask—users must decide who to trust." —Steve [126:51]
Key Timestamps (MM:SS)
- [01:37] React's "Perfect 10" explained
- [11:32] France enforces GDPR compliance with major fine
- [17:55] GrapheneOS forced out of France over encryption laws
- [27:14] Age restrictions on social media in Australia & EU
- [41:37] India’s surveillance regulation drama
- [73:53] Scattered Lapses Hunters’ new abbreviation “SLH”; RAM market meltdown
- [83:45] DNS Benchmark v2 debut and feature tour
- [107:43] Cisco firmware update woes
- [120:44] Chrome's “local network access” protocol and its implications
- [128:28] Discussing the React 10.0 vulnerability in depth
- [146:38] Scale of exposure (Shodan: >1M servers)
- [153:45] Exploitation by state threat actors and industry mitigation
Tone & Style
Conversational, insightful, with a blend of wry humor and sober analysis. Steve delivers nuanced technical breakdowns, Leo questions and contextualizes, and both occasionally reminisce or express philosophical concerns about the direction of tech and governance.
For Further Exploration
- CVE Details: CVE-2025-5182 (React Server Components RCE)
- Steve’s DNS Benchmark v2: GRC DNS Benchmark
- W3C Spec: Local Network Access permission API
In Summary
A can’t-miss episode for security professionals, web developers, policy watchers, and anyone interested in the bustling intersection of government, security, and the modern Internet. The React exploit segment alone is an urgent call-to-action, but the show’s round-the-world regulatory tour and hardware market diagnosis provide invaluable context for the months ahead.