Deserialization | Breaking Cybersecurity News | The Hacker News

A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in an alert issued today. "Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components." According to cloud security firm Wiz , the issue is a case of logical deserialization that stems from processing RSC payloads in an unsafe manner. As a result, an unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves execution of arbitrary JavaScript code on the server. The vulnerability impacts versions 19.0, 19.1.0, ...

SAP has rolled out security fixes for 13 new security issues , including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution. The vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization. "Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting a malicious payload to an open port," according to a description of the flag in CVE.org. "The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability." While the vulnerability was first addressed by SAP last month, security company Onapsis said the latest fix provides extra safeguards to secure against the risk posed by deserialization. "The additional...