Security Now #1055: React's Perfect 10 – RAM Is the New Lobster

Hosts: Steve Gibson (B), Leo Laporte (A)
Air Date: December 10, 2025

Episode Overview

This episode covers an intense week in cybersecurity, including a devastating new React/Next.js remote code execution vulnerability ("the worst code exploit in a long time"), regulatory crackdowns around the globe (France, India, Australia, EU), rising authoritarian tech trends, and the unexpected effects of AI on hardware markets (notably RAM prices). Steve debuts GRC's new DNS Benchmark v2, and the hosts also discuss browser security, password management, and industry feedback.

Key Discussion Points & Insights

1. Major News and Announcements

GRC DNS Benchmark v2 Released
- Steve launches a redesigned, feature-rich ($9.95, one-time purchase) DNS benchmarking tool.
- Integrates IPv6, DoH, DoT, and improved testing reflecting changes in DNS and the modern web.
- Emphasizes perpetual ownership, no subscriptions, and all future updates included.
- "[...] you buy this one time, I will never ask you no matter what happens for anything for the DNS benchmark again, all updates and versions, no matter how big or small they are included [...]" (Steve Gibson, 99:21)

2. Global Regulatory Turbulence

France: Vanity Fair Fined over Cookie Violations [11:32–17:44]

CNIL fines Vanity Fair/Condé Nast €750,000 after years of non-compliance and repeated warnings.
"No one's going to shed a tear here except some accountant at Vanity Fair [...] Three quarters of a million euros, which could have been easily prevented." (Steve, 14:52)
Ongoing shift to browser-based privacy controls under new GDPR/California rules is noted.

France: GrapheneOS Exits French Market [17:55–26:53]

GrapheneOS withdraws, citing new laws mandating encryption backdoors, harassment, and "raids" by French authorities.
“France is no longer a safe country for open source privacy projects. [...] Secure devices and services are not going to be allowed in France.” (GrapheneOS statement, summarized by Steve, 17:55)
Developers suspect authorities want to brute-force unlock phones; GrapheneOS explains technical impossibility (due to secure elements).

Australia & EU: Under-16 Social Media Bans [27:14–38:43]

Australia becomes first country to enforce a blanket ban (with serious fines) on under-16s using social media.
Implementation challenges: age verification tech is weak; kids find easy workarounds (like using parent photos or VPNs).
"We're about to descend into some extremely messy, chaotic times. But [...] we'll eventually finally obtain a good solution." (Steve, 38:43)
EU moves in a similar direction, planning to require age verification but with a potential for privacy-preserving solutions.

India: Smartphone Tracking & Encryption Mandates [41:37–62:42]

Government mandates pre-installation of its tracking app ("Sanchar Sathi") on all devices (including via software updates) to combat fraud/theft.
Apple refuses; after backlash, India rescinds the requirement—but new SIM-binding rules persist, requiring messaging apps to tie accounts to SIMs and enforce periodic logouts.
"We really appear to be entering a period where government legislators are feeling increasingly empowered to dictate the operation of the personal communications devices operating within their jurisdictions." (Steve, 62:42)

3. Threat Group Activity & Industry Shifts

Scattered Lapses Hunters → "SLH" [73:53]

The threat actor is now often abbreviated “SLH.”
Trend: SLH moving from Salesforce to Zendesk targets.

AI-driven RAM Price Crisis [73:53–83:41]

Consumer RAM prices have skyrocketed—up to 3–4x in months—due to AI demand for data center DRAM.
"Stores like Central Computers are beginning to sell RAM at market prices like you’d pay for the catch of the day at a seafood restaurant." (Steve, quoting The Verge, 73:53)
Micron exits the consumer RAM market to focus on AI demand.
"Valve pointed at the RAM crunch as one of the reasons it could not promise a specific price for its Steam machine just yet." (Steve, 79:03)
Potential for further fallout in GPU, console, and general computing markets.

4. Steve Gibson’s DNS Benchmark v2 Details [83:43–102:49]

Motivation, Features, and Technical Changes

Year-long development updating 17-year-old tool to modern internet realities.
Major technical updates (IPv6, DoH, DoT).
New methodology: averages cached, uncached, and TLD query times.
"Over the course of these 16 years, the Internet has changed a lot [...] The big change was I needed to add IPv6 support. But then [...] none of the UDP resolution is encrypted, so we have DoH and Dot." (Steve, 89:44–90:27)
Improved accuracy over old versions, avoids overestimating benefits of LAN caching.
Version 2: $9.95, perpetual license, all features included.

5. Feedback & Industry Notes

Cisco Security Update Challenges [107:43]

Listener complaints: Cisco (and others) gate access to firmware/security updates behind contracts, limiting ability to patch known vulnerabilities.
"Them crying about the fact that there’s so many unpatched devices still exposed is peak irony and it is partially on them." (Steve quoting listener, 107:43)

Chrome 142 "Local Network Access" [107:43–128:28]

Chrome now prompts users when websites want to access local network resources, a major step to close a long-standing security loophole.
"Just to be completely clear about the nature of the problem: from the perspective of any web browser device sitting on a private local area network, that web browser has network visibility into two completely different networks." (Steve, 116:21)
Popups only for third-party domains, not for user-initiated connections (e.g., to LAN routers).
Possible that social engineering will still trick some users, but it's a strong improvement.

6. Deep Dive: React/Next.js RCE Vulnerability (“The Perfect 10”) [128:35–157:51]

The Exploit

CVE-2025-5182 / Next.js CVE-666-0478:
- Unauthenticated, remote code execution (RCE) via unsafe deserialization in React server components.
- Exploitable with a single HTTP request, “near 100% reliability.”
- "It would affect any popular, widely present Internet facing server. It would not require the remote attacker to be in any way authenticated on that server. It would allow said attacker to remotely supply whatever code they would wish any such server to execute." (Steve, 133:08)

Scope and Exposure

React powers ~6% of all websites; Next.js over 10 million active websites globally.
Dan Goodin/Ars Technica: “Open source React executes malicious code with malformed HTML. No authentication needed.” (135:36)
Worst since Log4Shell, potentially more broadly damaging.
Multiple major platforms (Instagram, Netflix, Airbnb) and dependencies affected.
Proof-of-concept exploit code available within 48 hours, with active in-the-wild exploitation by state actors (notably China’s Earth Lamia & Jackpot Panda) within hours of disclosure.
"[...] this vulnerability is probably going to haunt the developer ecosystem for some time due to its ease of exploitation, widely available proofs of concept, its low complexity versus its power, as well as React's popularity." (Steve, 153:45)

Mitigation & Response

Vendors and frameworks released patches within days; urgent updating is essential.
Major CDNs (Cloudflare, Fastly, AWS) rushed to deploy custom WAF protections—Cloudflare’s rushed deployment briefly caused a 25-minute global outage.
Some discussion that the disclosure-to-vendor-notification process could be improved to minimize the initial harm window: "There's no reason that the major CDNs at least could not have been brought into a loop, you know, on the DL and allowed to have their application firewalls updated so they would have been protected before the disclosure." (Steve, 153:45)

Notable Quotes & Moments

On government tech overreach:
"Legislators are feeling increasingly empowered to dictate the operation of the personal communications devices operating within their jurisdictions." (Steve, 62:42)
On privacy technology evolution:
"We can do this without any loss of privacy. Yes, you will have to identify yourself to securely embed your date of birth in the device, but once that's done [...] we do not want to have to be showing a driver's license individually to every website we visit." (Steve, on age verification, 38:43)
On react exploit's seriousness:
"A critical, unauthenticated, low complexity remote code execution vulnerability... also known as CVSS 10.0." (Steve, 133:08)
On RAM prices:
"RAM prices are so out of control that stores are selling it like lobster." (quoting The Verge, 73:53)
On SLH:
"I’m beginning to see the infamous Scattered Lapses Hunters being referred to by the abbreviation SLH..." (Steve, 73:53)
On Chrome's new security prompt:
"The good news is it’s finally going to happen... but we've also just saddled users with the new responsibility of determining what's benign and what's malicious." (Steve, 123:40)

Important Timestamps

[01:16] - Steve's DNS Benchmark v2 announced ("on sale now!")
[11:32] - France fines Vanity Fair for cookie/GDPR violations
[17:55] - GrapheneOS exits France, citing state backdoor pressures
[27:14] - Australia, EU enact (and debate) social media bans for the under-16 crowd
[41:37] - India’s device tracking and encryption rules; Apple’s pushback
[73:53] - RAM "crisis" and hardware industry changes due to AI
[99:21] - DNS Benchmark v2: purchase and features
[107:43] - Cisco firmware update/patching criticism
[116:21] - Chrome 142's Local Network Access security change breakdown
[128:35] - React/Next.js "Perfect 10" vulnerability deep dive (WORST code exploit in recent times)
[153:45] - Active exploitation, China APTs, industry/cdn response, and lessons learned

Episode Tone

Engaging and conversational, balancing detailed technical deep-dives and larger philosophical/industry reflections. Steve is deeply analytical but accessible, with Leo asking clarifying or user-representative questions and providing color commentary.

Summary

This Security Now episode blends urgent vulnerability news (React/Next.js CVE-2025-5182), a wave of international regulatory controls (notably in privacy and device tracking), and the underlying market and technological forces (AI's impact on RAM, browser security, threat actor shifts). Steve’s launch of DNS Benchmark v2 offers a rare bit of positive news. Across topics, the hosts emphasize the need for user vigilance as technological and legal landscapes shift, and as ever, offer actionable perspective for security pros and end users alike.

Security Now #1055: React's Perfect 10 – RAM Is the New Lobster

Hosts: Steve Gibson (B), Leo Laporte (A)
Air Date: December 10, 2025

Episode Overview

Key Discussion Points & Insights

1. Major News and Announcements

GRC DNS Benchmark v2 Released
- Steve launches a redesigned, feature-rich ($9.95, one-time purchase) DNS benchmarking tool.
- Integrates IPv6, DoH, DoT, and improved testing reflecting changes in DNS and the modern web.
- Emphasizes perpetual ownership, no subscriptions, and all future updates included.
- "[...] you buy this one time, I will never ask you no matter what happens for anything for the DNS benchmark again, all updates and versions, no matter how big or small they are included [...]" (Steve Gibson, 99:21)

2. Global Regulatory Turbulence

France: Vanity Fair Fined over Cookie Violations [11:32–17:44]

CNIL fines Vanity Fair/Condé Nast €750,000 after years of non-compliance and repeated warnings.
"No one's going to shed a tear here except some accountant at Vanity Fair [...] Three quarters of a million euros, which could have been easily prevented." (Steve, 14:52)
Ongoing shift to browser-based privacy controls under new GDPR/California rules is noted.

France: GrapheneOS Exits French Market [17:55–26:53]

GrapheneOS withdraws, citing new laws mandating encryption backdoors, harassment, and "raids" by French authorities.
“France is no longer a safe country for open source privacy projects. [...] Secure devices and services are not going to be allowed in France.” (GrapheneOS statement, summarized by Steve, 17:55)
Developers suspect authorities want to brute-force unlock phones; GrapheneOS explains technical impossibility (due to secure elements).

Australia & EU: Under-16 Social Media Bans [27:14–38:43]

Australia becomes first country to enforce a blanket ban (with serious fines) on under-16s using social media.
Implementation challenges: age verification tech is weak; kids find easy workarounds (like using parent photos or VPNs).
"We're about to descend into some extremely messy, chaotic times. But [...] we'll eventually finally obtain a good solution." (Steve, 38:43)
EU moves in a similar direction, planning to require age verification but with a potential for privacy-preserving solutions.

India: Smartphone Tracking & Encryption Mandates [41:37–62:42]

Government mandates pre-installation of its tracking app ("Sanchar Sathi") on all devices (including via software updates) to combat fraud/theft.
Apple refuses; after backlash, India rescinds the requirement—but new SIM-binding rules persist, requiring messaging apps to tie accounts to SIMs and enforce periodic logouts.
"We really appear to be entering a period where government legislators are feeling increasingly empowered to dictate the operation of the personal communications devices operating within their jurisdictions." (Steve, 62:42)

3. Threat Group Activity & Industry Shifts

Scattered Lapses Hunters → "SLH" [73:53]

The threat actor is now often abbreviated “SLH.”
Trend: SLH moving from Salesforce to Zendesk targets.

AI-driven RAM Price Crisis [73:53–83:41]

Consumer RAM prices have skyrocketed—up to 3–4x in months—due to AI demand for data center DRAM.
"Stores like Central Computers are beginning to sell RAM at market prices like you’d pay for the catch of the day at a seafood restaurant." (Steve, quoting The Verge, 73:53)
Micron exits the consumer RAM market to focus on AI demand.
"Valve pointed at the RAM crunch as one of the reasons it could not promise a specific price for its Steam machine just yet." (Steve, 79:03)
Potential for further fallout in GPU, console, and general computing markets.

4. Steve Gibson’s DNS Benchmark v2 Details [83:43–102:49]

Motivation, Features, and Technical Changes

Year-long development updating 17-year-old tool to modern internet realities.
Major technical updates (IPv6, DoH, DoT).
New methodology: averages cached, uncached, and TLD query times.
"Over the course of these 16 years, the Internet has changed a lot [...] The big change was I needed to add IPv6 support. But then [...] none of the UDP resolution is encrypted, so we have DoH and Dot." (Steve, 89:44–90:27)
Improved accuracy over old versions, avoids overestimating benefits of LAN caching.
Version 2: $9.95, perpetual license, all features included.

5. Feedback & Industry Notes

Cisco Security Update Challenges [107:43]

Listener complaints: Cisco (and others) gate access to firmware/security updates behind contracts, limiting ability to patch known vulnerabilities.
"Them crying about the fact that there’s so many unpatched devices still exposed is peak irony and it is partially on them." (Steve quoting listener, 107:43)

Chrome 142 "Local Network Access" [107:43–128:28]

Chrome now prompts users when websites want to access local network resources, a major step to close a long-standing security loophole.
"Just to be completely clear about the nature of the problem: from the perspective of any web browser device sitting on a private local area network, that web browser has network visibility into two completely different networks." (Steve, 116:21)
Popups only for third-party domains, not for user-initiated connections (e.g., to LAN routers).
Possible that social engineering will still trick some users, but it's a strong improvement.

6. Deep Dive: React/Next.js RCE Vulnerability (“The Perfect 10”) [128:35–157:51]

The Exploit

CVE-2025-5182 / Next.js CVE-666-0478:
- Unauthenticated, remote code execution (RCE) via unsafe deserialization in React server components.
- Exploitable with a single HTTP request, “near 100% reliability.”
- "It would affect any popular, widely present Internet facing server. It would not require the remote attacker to be in any way authenticated on that server. It would allow said attacker to remotely supply whatever code they would wish any such server to execute." (Steve, 133:08)

Scope and Exposure

React powers ~6% of all websites; Next.js over 10 million active websites globally.
Dan Goodin/Ars Technica: “Open source React executes malicious code with malformed HTML. No authentication needed.” (135:36)
Worst since Log4Shell, potentially more broadly damaging.
Multiple major platforms (Instagram, Netflix, Airbnb) and dependencies affected.
Proof-of-concept exploit code available within 48 hours, with active in-the-wild exploitation by state actors (notably China’s Earth Lamia & Jackpot Panda) within hours of disclosure.
"[...] this vulnerability is probably going to haunt the developer ecosystem for some time due to its ease of exploitation, widely available proofs of concept, its low complexity versus its power, as well as React's popularity." (Steve, 153:45)

Mitigation & Response

Vendors and frameworks released patches within days; urgent updating is essential.
Major CDNs (Cloudflare, Fastly, AWS) rushed to deploy custom WAF protections—Cloudflare’s rushed deployment briefly caused a 25-minute global outage.
Some discussion that the disclosure-to-vendor-notification process could be improved to minimize the initial harm window: "There's no reason that the major CDNs at least could not have been brought into a loop, you know, on the DL and allowed to have their application firewalls updated so they would have been protected before the disclosure." (Steve, 153:45)

Notable Quotes & Moments

On government tech overreach:
"Legislators are feeling increasingly empowered to dictate the operation of the personal communications devices operating within their jurisdictions." (Steve, 62:42)
On privacy technology evolution:
"We can do this without any loss of privacy. Yes, you will have to identify yourself to securely embed your date of birth in the device, but once that's done [...] we do not want to have to be showing a driver's license individually to every website we visit." (Steve, on age verification, 38:43)
On react exploit's seriousness:
"A critical, unauthenticated, low complexity remote code execution vulnerability... also known as CVSS 10.0." (Steve, 133:08)
On RAM prices:
"RAM prices are so out of control that stores are selling it like lobster." (quoting The Verge, 73:53)
On SLH:
"I’m beginning to see the infamous Scattered Lapses Hunters being referred to by the abbreviation SLH..." (Steve, 73:53)
On Chrome's new security prompt:
"The good news is it’s finally going to happen... but we've also just saddled users with the new responsibility of determining what's benign and what's malicious." (Steve, 123:40)

Important Timestamps

[01:16] - Steve's DNS Benchmark v2 announced ("on sale now!")
[11:32] - France fines Vanity Fair for cookie/GDPR violations
[17:55] - GrapheneOS exits France, citing state backdoor pressures
[27:14] - Australia, EU enact (and debate) social media bans for the under-16 crowd
[41:37] - India’s device tracking and encryption rules; Apple’s pushback
[73:53] - RAM "crisis" and hardware industry changes due to AI
[99:21] - DNS Benchmark v2: purchase and features
[107:43] - Cisco firmware update/patching criticism
[116:21] - Chrome 142's Local Network Access security change breakdown
[128:35] - React/Next.js "Perfect 10" vulnerability deep dive (WORST code exploit in recent times)
[153:45] - Active exploitation, China APTs, industry/cdn response, and lessons learned

SN 1055: React's Perfect 10 - RAM Is the New Lobster

Powered by Wave AI

Summary

Security Now #1055: React's Perfect 10 – RAM Is the New Lobster

Episode Overview

Key Discussion Points & Insights

1. Major News and Announcements

2. Global Regulatory Turbulence

France: Vanity Fair Fined over Cookie Violations [11:32–17:44]

France: GrapheneOS Exits French Market [17:55–26:53]

Australia & EU: Under-16 Social Media Bans [27:14–38:43]

India: Smartphone Tracking & Encryption Mandates [41:37–62:42]

3. Threat Group Activity & Industry Shifts

Scattered Lapses Hunters → "SLH" [73:53]

AI-driven RAM Price Crisis [73:53–83:41]

4. Steve Gibson’s DNS Benchmark v2 Details [83:43–102:49]

Motivation, Features, and Technical Changes

5. Feedback & Industry Notes

Cisco Security Update Challenges [107:43]

Chrome 142 "Local Network Access" [107:43–128:28]

6. Deep Dive: React/Next.js RCE Vulnerability (“The Perfect 10”) [128:35–157:51]

The Exploit

Scope and Exposure

Mitigation & Response

Notable Quotes & Moments

Important Timestamps

Episode Tone

Summary

Summary

Security Now #1055: React's Perfect 10 – RAM Is the New Lobster

Episode Overview

Key Discussion Points & Insights

1. Major News and Announcements

2. Global Regulatory Turbulence

France: Vanity Fair Fined over Cookie Violations [11:32–17:44]

France: GrapheneOS Exits French Market [17:55–26:53]

Australia & EU: Under-16 Social Media Bans [27:14–38:43]

India: Smartphone Tracking & Encryption Mandates [41:37–62:42]

3. Threat Group Activity & Industry Shifts

Scattered Lapses Hunters → "SLH" [73:53]

AI-driven RAM Price Crisis [73:53–83:41]

4. Steve Gibson’s DNS Benchmark v2 Details [83:43–102:49]

Motivation, Features, and Technical Changes

5. Feedback & Industry Notes

Cisco Security Update Challenges [107:43]

Chrome 142 "Local Network Access" [107:43–128:28]

6. Deep Dive: React/Next.js RCE Vulnerability (“The Perfect 10”) [128:35–157:51]

The Exploit

Scope and Exposure

Mitigation & Response

Notable Quotes & Moments

Important Timestamps

Episode Tone

Summary