December 09, 2025

Security Now 1055: React's Perfect 10

Listen Later

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security.

France's VanityFair face a stiff fine over cookies.

GrapheneOS pulls out of France over coercion worries.

The EU adds to the pile-on over underage social media.

India mandates the tracking of all smartphones.

Apple says no.

India abandons its smartphone tracking mandate.

India requires all encrypted messaging to be SIM-tied.

Scattered Lapsus$ Hunters --becomes--> SLH.

AI demand has driven RAM pricing sky high.

GRC's DNS Benchmark is finished and available.

Cisco may talk a good game, but they're still Cisco.

Browsers to ask users for local network access permission.

React: The worst remote code exploit in a LONG time.

Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!

Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

1password.com/securitynow

veeam.com

bigid.com/securitynow

zscaler.com/security

hoxhunt.com/securitynow

...more

View all episodes

View all episodes

Download on the App Store

Download on the App Store

Get it on Google Play

Total Leo (Video)

By TWiT

3.6

1616 ratings

December 09, 2025

Security Now 1055: React's Perfect 10

Listen Later

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security.

France's VanityFair face a stiff fine over cookies.

GrapheneOS pulls out of France over coercion worries.

The EU adds to the pile-on over underage social media.

India mandates the tracking of all smartphones.

Apple says no.

India abandons its smartphone tracking mandate.

India requires all encrypted messaging to be SIM-tied.

Scattered Lapsus$ Hunters --becomes--> SLH.

AI demand has driven RAM pricing sky high.

GRC's DNS Benchmark is finished and available.

Cisco may talk a good game, but they're still Cisco.

Browsers to ask users for local network access permission.

React: The worst remote code exploit in a LONG time.

Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!

Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

1password.com/securitynow

veeam.com

bigid.com/securitynow

zscaler.com/security

hoxhunt.com/securitynow

...more