What are the AI Vulnerabilities We Need to Worry About

Episode Summary

Timothy De Block sits down with Keith Hoodlet, Security Researcher and founder of Securing.dev, to navigate the chaotic and rapidly evolving landscape of AI security.

They discuss why "learning" is the only vital skill left in security, how Large Language Models (LLMs) actually work (and how to break them), and the terrifying rise of AI Agents that can access your email and bank accounts. Keith explains the difference between inherent AI vulnerabilities—like model inversion—and the reckless implementation of AI agents that leads to "free DoorDash" exploits. They also dive into the existential risks of disinformation, where bots manipulate human outrage and poison the very data future models will train on.

Key Topics

  • Learning in the AI Era:

    • The "Zero to Hero" approach: How Keith uses tools like Claude to generate comprehensive learning plans and documentation for his team.

    • Why accessible tools like YouTube and AI make learning technical concepts easier than ever.

  • Understanding the "Black Box":

    • How LLMs Work: Keith breaks down LLMs as a "four-dimensional array of numbers" (weights) where words are converted into tokens and calculated against training data. * Open Weights: The ability for users to manipulate these weights to reinforce specific data (e.g., European history vs. Asian Pacific history).

  • AI Vulnerabilities vs. Attacks:

    • Prompt Injection: "Social engineering" the chatbot to perform unintended actions.

    • Membership Inference: Determining if specific data (like yours) is in a training set, which has massive implications for GDPR and the "right to be forgotten".

    • Model Inversion: Stealing weights and training data. Keith cites speculation that Chinese espionage used this technique to "shortcut" their own model training using US labs' data.

    • Evasion Attacks: A technique rather than a vulnerability. Example: Jason Haddix bypassing filters to generate an image of Donald Duck smoking a cigar by describing the attributes rather than naming the character.

  • The "Agent" Threat:

    • Running with Katanas: Giving AI agents access to browsers, file systems (~/.ssh), and payment methods is a massive security risk.

    • The DoorDash Exploit: A real-world example where a user tricked a friend's email-connected AI bot into ordering them free lunch for a week.

  • Supply Chain & Disinformation:

    • Hallucination Squatting: AI generating code that pulls from non-existent packages, which attackers can then register to inject malware.

    • The Cracker Barrel Outrage: How a bot-driven disinformation campaign manufactured fake outrage over a logo change, fooling a major company and the news media.

    • Data Poisoning: The "Russian Pravda network" seeding false information to shape the training data of future US models.

Memorable Quotes

  • "It’s like we’re running with... not just scissors, we’re running with katanas. And the ground that we're on is constantly changing underneath our feet." — Keith Hoodlet

  • "We never should have taught runes to sand and allowed it to think." — Keith Hoodlet

  • "The biggest bombshell here is that we are the vulnerability. Because we're going to get manipulated by AI in some form or fashion." — Timothy De Block

Resources Mentioned

Books:

Videos & Articles:

About the Guest

Keith Hoodlet is a Security Researcher at Trail of Bits and the creator of Securing.dev. A self-described "technologist who wants to move to the woods," Keith specializes in application security, threat modeling, and deciphering the complex intersection of code and human behavior.

Support the Podcast:

Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.

Contact Information:

Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn][YouTube]

What is React2Shell (CVE-2025-55182)?

Summary:

Frank M. Catucci and Timothy De Block dive into a critical, high-impact remote code execution (RCE) vulnerability affecting React Server Components and popular frameworks like Next.js, a flaw widely being referred to as React2Shell.

They discuss the severity, the rapid weaponization by botnets and state actors, and the long-term struggle organizations face in patching this class of vulnerability.

The Next Log4j? React2Shell (CVE-2025-55182)

  • Critical Severity: The vulnerability, tracked as CVE-2025-55182 (and sometimes including the Next.js version, CVE-2025-66478, which was merged into it), carries a maximum CVSS score of 10.0.

  • The Flaw: The issue is an unauthenticated remote code execution (RCE) vulnerability stemming from insecure deserialization in the React Server Components (RSC) "Flight" protocol. This allows an attacker to execute arbitrary, privileged JavaScript code on the server simply by sending a specially crafted HTTP request.

  • Widespread Impact: The vulnerability affects React 19.x and other popular frameworks that bundle the react-server implementation, most notably Next.js (versions 15.x and 16.x using the App Router). It is exploitable in default configurations.

  • Rapid Weaponization: The speed of weaponization is "off the chain". Within a day of public disclosure, malicious payloads were observed, with activities including:

    • Deployment of Marai botnets.

    • Installation of cryptomining malware (XMRig).

    • Deployment of various backdoors and reverse shells (e.g., SNOWLIGHT, COMPOOD, PeerBlight).

    • Attacks by China-nexus threat groups (Earth Lamia and Jackpot Panda).

The Long-Term Problem and Defense

  • Vulnerability Management Challenge: The core problem is identifying where these vulnerable components are running in a "ridiculous ecosystem". This is not just a problem for proprietary web apps, but for any IoT devices or camera systems that may be running React.

  • The Shadow of Log4j: Frank notes that the fallout from this vulnerability is expected to be similar to Log4j, requiring multiple iterative patches over time (Log4j required around five versions).

    • Many organizations have not learned their lesson from Log4j.

    • Because the issue can be three or four layers deep in open-source packages, getting a full fix requires a cascade of patches from dependent projects.

  • Mitigation is Complex: Patches should be applied immediately, but organizations must also consider third-party vendors and internal systems.

    • Post-Exploitation: Assume breach. If the vulnerability was exposed, it is a best practice to rotate all secrets, API keys, and credentials that the affected server had access to.

    • WAF as a Band-Aid: A Web Application Firewall (WAF) can be a mitigating control, but blindly installing one over a critical application is ill-advised as it can break essential functionality.

  • The Business Battle: Security teams often face the "age-old kind of battle" of whether to fix a critical vulnerability with a potential break/fix risk or stay open for business. Highly regulated industries, even with a CISA KEV listing, may still slow patching due to mandatory change control and liability for monetary loss if systems go down.

The Supply Chain and DDoS Threat

  • Nation-State & Persistence: State actors like those from China will sit on compromised access for long periods, establishing multiple layers of backdoors and obfuscated persistence mechanisms before an active strike.

  • Botnet Proliferation: The vulnerability is being used to rapidly create new botnets for massive Denial of Service (DoS) attacks.

    • DoS attack sizes are reaching terabits per second.

    • DDoS attacks are so large that some security vendors have had to drop clients to protect their remaining customers.

  • Supply Chain Security: The vulnerability highlights the urgent need for investment in Software Bill of Materials (SBOMs) and Application Security Posture Management (ASPM)/Application Security Risk Management (ASRM) solutions.

    • This includes looking beyond web servers to embedded systems, medical devices, and auto software.

    • Legislation is in progress to mandate that vendors cannot ship vulnerable software and to track these components.

Actionable Recommendations

  • Immediate Patching: This is the only definitive mitigation. Upgrade to the patched versions immediately, prioritizing internet-facing services.

  • Visibility Tools: Use tools for SBOMs, ASPM, or ASRM to accurately query your entire ecosystem for affected versions of React and related frameworks.

  • Testing: Run benign proof-of-concept code to test for the vulnerability on your network. Examples include simple commands like whoami. (Note: Always use trusted, non-malicious payloads for internal testing.)

  • Monitor CISA KEV: The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

  • Research: Look for IoCs (Indicators of Compromise) and TTPs (Tactics, Techniques, and Procedures) associated with post-exploitation to hunt for pervasive access and backdoors.

Resources

China-nexus cyber threat groups rapidly exploit React2Shell ... - AWS, accessed December 12, 2025, https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

Support the Podcast:

Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.

Contact Information:

Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn][YouTube]