Miki
@mikisec.bsky.social
Cyber security officer by day, a fabulous cookie by night
Reposted by Miki
We disclosed two new RSC vulnerabilities:
- Denial of Service (High): CVE-2025-55184
- Source Code Exposure (Medium): CVE-2025-55183
Patches are available now, please update immediately.
react.dev/blog/2025/12...
- Denial of Service (High): CVE-2025-55184
- Source Code Exposure (Medium): CVE-2025-55183
Patches are available now, please update immediately.
react.dev/blog/2025/12...
Denial of Service and Source Code Exposure in React Server Components – React
The library for web and native user interfaces
react.dev
December 11, 2025 at 8:51 PM
We disclosed two new RSC vulnerabilities:
- Denial of Service (High): CVE-2025-55184
- Source Code Exposure (Medium): CVE-2025-55183
Patches are available now, please update immediately.
react.dev/blog/2025/12...
- Denial of Service (High): CVE-2025-55184
- Source Code Exposure (Medium): CVE-2025-55183
Patches are available now, please update immediately.
react.dev/blog/2025/12...
That post was an unexpected (pleasant) rabbithole:
- mcp-scan uses invariant
- Invariant is a tool to write rules (tiny bit similar to Semgrep) to scan MCPs
- Can create rules that detect PIIs
- PIIs are found using the PyPI project presidio
Full of TILs, and tons of neat to play with! Thanks!
- mcp-scan uses invariant
- Invariant is a tool to write rules (tiny bit similar to Semgrep) to scan MCPs
- Can create rules that detect PIIs
- PIIs are found using the PyPI project presidio
Full of TILs, and tons of neat to play with! Thanks!
December 11, 2025 at 7:58 PM
That post was an unexpected (pleasant) rabbithole:
- mcp-scan uses invariant
- Invariant is a tool to write rules (tiny bit similar to Semgrep) to scan MCPs
- Can create rules that detect PIIs
- PIIs are found using the PyPI project presidio
Full of TILs, and tons of neat to play with! Thanks!
- mcp-scan uses invariant
- Invariant is a tool to write rules (tiny bit similar to Semgrep) to scan MCPs
- Can create rules that detect PIIs
- PIIs are found using the PyPI project presidio
Full of TILs, and tons of neat to play with! Thanks!
The main danger though is being unable to fix CVEs without fixing breaking changes first (rushing breaking change fixes because of a CVE are one of the worst thing to do), but urllib3 has a good track record: v1 didn't reach EOL for a very long time thus users have ample time to migrate
December 8, 2025 at 9:58 PM
The main danger though is being unable to fix CVEs without fixing breaking changes first (rushing breaking change fixes because of a CVE are one of the worst thing to do), but urllib3 has a good track record: v1 didn't reach EOL for a very long time thus users have ample time to migrate
I think the answer lies in the last paragraph of your article: force the change, otherwise a large portion of users will never do the change
December 8, 2025 at 9:57 PM
I think the answer lies in the last paragraph of your article: force the change, otherwise a large portion of users will never do the change
Unfortunately with teams with very limited time it can be difficult to address all warnings, they often get dealt with once it breaks (i.e., the breaking change actually occurs).
I learned that opening tickets simply doesn't work, work will never be picked up
I learned that opening tickets simply doesn't work, work will never be picked up
December 8, 2025 at 9:54 PM
Unfortunately with teams with very limited time it can be difficult to address all warnings, they often get dealt with once it breaks (i.e., the breaking change actually occurs).
I learned that opening tickets simply doesn't work, work will never be picked up
I learned that opening tickets simply doesn't work, work will never be picked up
Looks great!
If it's intended for full-screen viewing: text could be a tiny bit smaller so we can see more code at once (feels a tiny bit too big & I'm able to read the text easily despite my poor eyesight 😉)
If it's meant to be projected or viewed in non-fullscreen mode then don't touch it IMO 👌
If it's intended for full-screen viewing: text could be a tiny bit smaller so we can see more code at once (feels a tiny bit too big & I'm able to read the text easily despite my poor eyesight 😉)
If it's meant to be projected or viewed in non-fullscreen mode then don't touch it IMO 👌
December 1, 2025 at 7:32 PM
Looks great!
If it's intended for full-screen viewing: text could be a tiny bit smaller so we can see more code at once (feels a tiny bit too big & I'm able to read the text easily despite my poor eyesight 😉)
If it's meant to be projected or viewed in non-fullscreen mode then don't touch it IMO 👌
If it's intended for full-screen viewing: text could be a tiny bit smaller so we can see more code at once (feels a tiny bit too big & I'm able to read the text easily despite my poor eyesight 😉)
If it's meant to be projected or viewed in non-fullscreen mode then don't touch it IMO 👌
That's quite interesting, we can find the list of flatpaks having such permission here: github.com/search?q=org...
May 30, 2025 at 8:47 PM
That's quite interesting, we can find the list of flatpaks having such permission here: github.com/search?q=org...
Thank you for sharing! That was an amazing talk. This is really saddening, I hope we manage to slam on the brakes
January 18, 2025 at 10:10 PM
Thank you for sharing! That was an amazing talk. This is really saddening, I hope we manage to slam on the brakes
Clever way of making it interesting! Instead of "Ugh, another cookie popup!" :D
Props on them!
Props on them!
January 14, 2025 at 10:17 PM
Clever way of making it interesting! Instead of "Ugh, another cookie popup!" :D
Props on them!
Props on them!
Darn, you were so healthy in yesterday's FireSide chat! Hope you get well soon!
December 14, 2024 at 6:30 PM
Darn, you were so healthy in yesterday's FireSide chat! Hope you get well soon!
Should we call 911? Are you still alive?
December 12, 2024 at 6:39 PM
Should we call 911? Are you still alive?
Rough start but I'm sure it will get much better, good luck!
December 12, 2024 at 4:32 PM
Rough start but I'm sure it will get much better, good luck!
I wonder, why did you put "phishing training" inside the worst category?
December 10, 2024 at 7:35 PM
I wonder, why did you put "phishing training" inside the worst category?
Not easy, I hope something here help!
December 10, 2024 at 7:31 PM
Not easy, I hope something here help!
- Burning the Bun and Node.js for a better security posture
- Practical Insights in Securing Bun and Node.js Runtimes
- Reflections on the Security of Bun and the Node.js Runtimes
- From Burned to Super: Securing The Bun and Node.js Runtimes
- Overlooked Security Issues of Bun and Node.js
- Practical Insights in Securing Bun and Node.js Runtimes
- Reflections on the Security of Bun and the Node.js Runtimes
- From Burned to Super: Securing The Bun and Node.js Runtimes
- Overlooked Security Issues of Bun and Node.js
December 10, 2024 at 7:30 PM
- Burning the Bun and Node.js for a better security posture
- Practical Insights in Securing Bun and Node.js Runtimes
- Reflections on the Security of Bun and the Node.js Runtimes
- From Burned to Super: Securing The Bun and Node.js Runtimes
- Overlooked Security Issues of Bun and Node.js
- Practical Insights in Securing Bun and Node.js Runtimes
- Reflections on the Security of Bun and the Node.js Runtimes
- From Burned to Super: Securing The Bun and Node.js Runtimes
- Overlooked Security Issues of Bun and Node.js