This Month in Cybersecurity, the December 2025 edition is here featuring curated highlights and concise summaries of the most significant cybersecurity and data privacy events.
Let’s dive in!
Maximum Severity ‘React2Shell’ Vulnerability Allows Unauthenticated Remote Code Execution in React and Next.js Applications.
A maximum severity vulnerability, dubbed 'React2Shell’, exists within the React Server Components (RSC) ‘Flight’ protocol used by both React and Next.js, allowing an unauthenticated remote attacker to achieve remote code execution (RCE) on affected servers. The flaw is an insecure deserialization issue that can be exploited by sending a specially crafted HTTP request to RSC endpoints, and researchers warn that the vulnerability is easy to exploit and present in the default configuration of widely used packages. Given the widespread adoption of both React and Next.js, developers are strongly advised to immediately apply the security patches available in React versions 19.0.1, 19.1.2, and 19.2.1 and various Next.js 15.x and 16.x releases to mitigate the high risk.
| Date: | Dec 4, 2025 |
|---|---|
| Source: | Bleeping Computer |
| Author: | Bill Toulas |
ENISA Report Reveals Cybersecurity Investment Shifts to Technology Amidst Deepening Cyber Talent Shortages and NIS2 Implementation Challenges in the EU
The sixth annual ENISA NIS Investments report, based on a survey of over 1,000 EU organizations, highlights a major shift in cybersecurity investment: while total spending remains steady, funds are increasingly directed toward technology and outsourcing rather than hiring internal teams, intensifying the persisting cyber talent crunch (76% struggle to attract staff). Although compliance is the primary driver of investment, the new NIS2 Directive presents significant implementation challenges, particularly in critical areas like timely patching (50%), ensuring business continuity (49%), and managing supply-chain risk (37%). Furthermore, the report finds many organizations, especially SMEs, struggle with security basics, with almost a third not conducting annual assessments, even as ransomware and supply-chain attacks remain top future concerns.
| Date: | Dec 8, 2025 |
|---|---|
| Source: | ENISA |
| Author: | ENISA |
Google Implements Layered Security Features, Including ‘User Alignment Critic’ and ‘Agent Origin Sets’, to Shield Chrome’s Agentic AI from Indirect Prompt Injection Attacks
Following the integration of agentic AI capabilities (Gemini) into Chrome, Google has introduced several layered defenses to mitigate the severe risk of indirect prompt injection attacks, where malicious content embedded on a webpage can exploit the AI agent. Key features include the User Alignment Critic, a secondary, isolated model that independently reviews and vetoes any proposed agent actions deemed misaligned with the user’s explicit goal, and Agent Origin Sets, which restrict the agent’s data access only to relevant or user-shared websites to prevent cross-origin data exfiltration. These mechanisms, along with enhanced transparency, user-approval requests for sensitive actions, and a prompt-injection classifier, are designed to create a secure, trusted-model architecture against a persistent class of AI vulnerability, with Google offering up to $20,000 for successful security boundary breaches.
| Date: | Dec 9, 2025 |
|---|---|
| Source: | The Hacker News |
| Author: | Ravie Lakshmanan |
Europol’s Operation GRIMM: 193 Arrested in Crackdown on 'Violence-as-a-Service
Europol’s Operational Taskforce (OTF) GRIMM has arrested 193, while combating “violence-as-a-service” (VaaS). This trend involves criminal networks recruiting young, often inexperienced individuals via social media to commit acts ranging from intimidation to murder. Originally a growing issue in Sweden, VaaS has spread across Europe, prompting a collaborative response from 11 countries. The taskforce has successfully targeted perpetrators, recruiters, and high-value targets, preventing multiple violent crimes across Germany, the Netherlands, and Spain. Future efforts will focus on disrupting online recruitment through closer cooperation with tech companies.
| Date: | Dec 8, 2025 |
|---|---|
| Source: | Europol |
| Author: | Europol |
New GhostPoster Attack Leverages PNG Icon to Infect 50,000 Firefox Users
A new malware campaign dubbed “GhostPoster” has infected approximately 50,000 Firefox users through at least 17 malicious browser extensions, such as “Free VPN Forever.” The attack utilizes steganography to hide malicious payloads within PNG icon files, allowing it to bypass standard security scanners. Once installed, the malware uses custom decryption routines and delayed triggers to execute in-memory attacks that strip security headers, hijack user traffic for affiliate fraud, and enable remote command execution.
| Date: | Dec 17, 2025 |
|---|---|
| Source: | Cybersecurity News |
| Author: | Tushar Subhra Dutta |
That’s a wrap! 
We’d love to hear your thoughts. Don’t hesitate to share any comments or additional news we might have missed in the Passbolt community forum. Happy Holidays! 