news
Web Browsers/Web Servers: Incidents, Vulnerabilities, and RSS
-
Before the Web
For anyone born after 1990, the internet is the World Wide Web. It's a world of browsers, hyperlinks, and websites, a vast, graphical universe navigated with a mouse and a search bar. But before the web became what it is today, there was another world - a diverse ecosystem of interconnected communities built on different technologies and a different ethos. It was a world of dial-up tones, text-based menus, and global conversations that unfolded one message at a time.
-
Futurism ☛ AI-Powered Browsers Are Failing Badly
“No matter the browser, I kept running into the same fundamental problem: you have to think extra hard about how to craft the right prompt,” wrote The Verge’s Victoria Song. “Stapling an AI assistant to a browser doesn’t magically redefine how you interact with a chatbot.”
-
The Register UK ☛ AWS: Beijing-linked hackers hammering max-severity React bug
In a new advisory, AWS said its threat intelligence teams "observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda."
-
Cyble Inc ☛ React2Shell Bug Exploited Within Hours Of Disclosure
The React2Shell vulnerability, tracked as CVE-2025-55182, affects React Server Components in React 19.x and Next.js versions 15.x and 16.x when using the App Router. The flaw carries the maximum severity score of 10.0 on the CVSS scale, enabling unauthenticated remote code execution (RCE).
-
Scoop News Group ☛ Attackers hit React defect as researchers quibble over proof
Multiple security firms are responding to active exploitation in the wild as a scrum of reports conclude the malicious activity is limited to scanning and attempts instead of actual attacks. Yet, official word from the Cybersecurity and Infrastructure Security Agency is clear — the agency added CVE-2025-55182 to its known exploited vulnerabilities catalog Friday.
-
Dark Reading ☛ React2Shell Vulnerability Under Attack From China-Nexus Groups
CVE-2025-55182, which was disclosed Wednesday, is an unauthenticated remote code execution (RCE) vulnerability that impacts the React Server Components (RCS) protocol versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of three packages (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack) and is caused by unsafe deserialization. Because of the severity of the bug, the ubiquity of React, and that it can cause pre-authentication RCE, it received a CVSS score of 10 — the highest severity possible.
-
Security Week ☛ Cloudflare Outage Caused by React2Shell Mitigations
Cloudflare informed customers soon after the public disclosure of CVE-2025-55182 that web application firewall (WAF) protections had been rolled out. However, it seems that some of the mitigations implemented by the web performance and security company have led to disruptions.
-
The New Stack ☛ React Server Components Vulnerability Found
On Nov. 29, Lachlan Davidson, a security consultant for the New Zealand-based security firm Carapace, reported the vulnerability. It allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
-
Matthew Weber ☛ I Have Way Too Many RSS Favorites
I use FreshRSS to manage all of my RSS feeds. It is wonderful. Maybe the best thing I use on a daily basis. I adore being able to use the internet in this way, for many reasons. I’ve talked about my eternal love of RSS before, so I don’t need to get all gushy over it here. But damn is it good.
-
Don Marti ☛ a Terminator ending for Google Privacy Sandbox?
The sad part is that, in the years since the “Privacy Sandbox” saga started, we have learned a lot and it should be clear by now that hard-coding advertising features into the browser is a bad idea. Yes, the math can sometimes be really cool, but the concept has some real problems when applied to the real world.
-
[Old] Alex Chan ☛ What I learnt about making websites by reading two thousand web pages
Over the past year, I built a web archive of over two thousand web pages – my own copy of everything I’ve bookmarked in the last fifteen years. I saved each one by hand, reading and editing the HTML to build a self-contained, standalone copy of each web page.
These web pages were made by other people, many using tools and techniques I didn’t recognise. What started as an exercise in preservation became an unexpected lesson in coding: I was getting a crash course in how the web is made. Reading somebody else’s code is a great way to learn, and I was reading a lot of somebody else’s code.
In this post, I’ll show you some of what I learnt about making websites: how to write thoughtful HTML, new-to-me features of CSS, and some quirks and relics of the web.