If you have any public web app (especially something “vibe-coded” and deployed fast), there’s a critical security issue affecting some apps built with Next.js + React Server Components (App Router). In plain English: in unpatched setups, an attacker may be able to take control of your server without logging in, and potentially access things like API keys, database credentials, and environment variables. Who should care? ✅ You should care if: - Your app uses Next.js App Router / React Server Components (common in modern Next.js projects). - Your app was online and not patched in early December 2025 (active scanning/exploitation has been reported). ❌ You’re likely not affected if: - You’re on Next.js 13, Next.js 14 stable, or using the Pages Router (older routing style). ✅ What to do (no jargon, 5–15 minutes) If you’re NOT technical (but you own/operate the app) 1. Message whoever built your site/app today:“Please check if we use Next.js App Router / React Server Components and patch the React2Shell vulnerability.” 2. After patching, ask them to rotate secrets (API keys, DB passwords). Next.js explicitly recommends this if you were online and unpatched around Dec 4, 2025. If you ARE technical (or you have your repo) - Follow the official Next.js advisory and upgrade to a patched version + redeploy. - Easiest path: run the official fixer tool:npx fix-react2shell-next - Then rotate secrets after redeploying (important). Extra layer (nice to have, not a substitute for patching) Some platforms/WAFs have deployed protections (e.g., Cloudflare), but the real fix is still upgrade + redeploy. Shipping fast is awesome. Shipping safe is the real advantage ✅

I just got a message saying my posts about AI safety were “battling against AI” and “not useful.” Translation: only talk about the shiny upside or don’t talk at all. Let me be very clear: I’m not anti-AI. I’m anti-blind optimism. You don’t build safe systems by ignoring the uncomfortable questions. You build disasters that way. History has a name for the people who raise concerns early we call them the ones who were right. If an AI community bans conversation about risk… then it’s not a community learning about AI it’s a marketing team cheering for it. AI is absolutely the future. But if that future doesn’t include humans staying in command, then congratulations we just built our own replacement. Positivity doesn’t protect people. Guardrails do. And if talking about guardrails is considered a threat…that should scare everyone a lot more than the post they deleted.

As someone who has spent years in cybersecurity and risk management, I don’t really have the luxury of pretending everything is fine when it isn’t. My job and my responsibility has always been to look at the threat before it becomes the headline. If pointing out real risks in AI gets labeled as “fear-based,” then maybe the fear isn’t in the message…maybe it’s in how uncomfortable the truth is. Security isn’t built by people who only talk about the positive outcomes. It’s built by people willing to ask: - What happens when this fails? - Who stays accountable? - How do we shut it off? - What is the worst-case scenario? That’s not negativity. That’s due diligence. I will always raise the red flags when I see them not because I want to scare people, but because I’ve seen what happens when no one does….and that’s truth AI can transform the world, yes. But transformation without guardrails is how you end up with unrecoverable mistakes. If being direct about the dangers makes some people uncomfortable…that’s a sign the message needs to be heard even louder. Guardians ask the hard questions. It’s literally what keeps people safe. #GuardianProject #CybersecurityMindset #RiskManagement #HumanFirst

The fastest way to get a post removed is to talk about the actual risks. Not the fluffy “AI can help you be productive” talk. Not the “10 cool automations for your business” talk. But the uncomfortable truth that if we don’t pay attention, AI will happily outperform us… and then out-prioritize us. Some folks call that “fear-based.” I call it paying attention. Silencing people who raise concerns doesn’t make the concerns go away. It just makes sure we face them later… unprepared. We’re told: “Focus on the positive. Stay constructive.” Cool. But guess what every guardrail ever built started with someone saying a negative outcome was possible. If we only allow conversations where everyone nods and smiles, then congratulations we’ve already automated the most dangerous thing of all: Critical thinking. AI doesn’t have to censor us. We’re doing a pretty good job of that ourselves. NIX…put that in your pipe and smoke it…

Last week's news but still ongoing. 39% of publicly exposed web apps may be affected, with vibe-coded apps at even higher risk because many rely on default framework setups. A maximum-severity security flaw has been disclosed in React Server Components and Next.js that can allow unauthenticated attackers to gain full control of a vulnerable server via a single crafted request. In practical terms, this means potential access to your environment variables, secret keys, databases and backend logic. If you have any public apps: (1) check whether they use Next.js or any framework with server-side components, (2) verify whether your version falls within the affected releases, and (3) upgrade immediately to a patched version and redeploy. Non-vibe-coded apps can be affected as well. Edit: Hacker activity is massive now, to exploit this vulnerability. If your app has this door wide open, they WILL walk in freely. Severity: 10.0 (Critical) Impact: Full system compromise Target: mass exploitation. If you're not tech and have vibe-coded an app, read the comment below by @Alya Naters More info: I can't provide links because they're not allowed in this group, you can google up Security Advisory: CVE-2025-66478.