Critical Cybersecurity Issues Highlighted in Latest Stormcast

In this edition of the Stormcast from December 4, 2025, Johannes Ullrich, reporting from Dallas, Texas, addresses several critical cybersecurity topics with observations and alerts relevant to both professionals and users of modern technologies. The first issue raised concerns a worrying trend observed in requests intercepted by honeypots (decoys designed to attract cyber attackers) from the SANS Internet Storm Center. These requests contain HTTP headers that mimic those added by Content Delivery Networks (CDNs) like Cloudflare, Fastly, or Akamai. The likely goal of the attackers is to bypass the protections offered by these CDNs, which normally filter malicious traffic and protect against Distributed Denial of Service (DDoS) attacks.

To understand this threat, it is important to know that many websites rely on CDNs to mask their real IP address and benefit from an additional layer of security. However, attackers sometimes manage to discover the origin IP of the server and send requests directly, bypassing the CDN. To counter this technique, some sites verify the presence of specific headers added by the CDN, such as random tokens that are difficult to guess. The problem is that attackers seem to be betting on the fact that these verifications are not always rigorous. Another hypothesis is that these requests could come from services like Cloudflare Warp, a kind of VPN that masks the real origin of attacks, making their tracing more complex.

Another urgent topic covered in this video is a critical vulnerability affecting applications using React, particularly React Server Components. This flaw, discovered the previous weekend, was quickly patched by the React team, but it remains extremely dangerous. Even if an application does not directly use React's server features, simply having React Server Components enabled makes it vulnerable. This includes popular frameworks like Next.js, which has assigned its own CVE identifier to this vulnerability, although it is fundamentally the same flaw. It is a deserialization vulnerability, a type of flaw where malicious data is interpreted as executable code, potentially allowing an attacker to take control of a system.

Johannes Ullrich emphasizes the urgency of patching this vulnerability immediately. Several allegedly functional exploits have already been published online, although their reliability remains to be verified. Some could even be decoys designed to infect those who execute them. The security company Whis has confirmed developing a reliable exploit, meaning attackers likely already have the means to exploit it. Given the time elapsed since the discovery of the flaw, it is reasonable to assume that mass scans are underway to identify and compromise vulnerable systems. Administrators must therefore act immediately, prioritizing updates before the weekend, or even considering their systems as potentially compromised if patches are not applied in time.

Finally, the video discusses a series of vulnerabilities discovered in Pickle Scan, a widely used tool for analyzing the security of artificial intelligence (AI) models before deployment. Pickle Scan is designed to detect malicious pickle files—Python files that can contain executable code rather than just data or model weights. However, the tool itself had several flaws, including a vulnerability related to ZIP files where an incorrect checksum (CRC) could prevent a complete analysis of the file. As a result, a malicious file could go undetected and be used, exposing the system to attacks. Although an update is available, Johannes Ullrich reminds us that tools of this type are not infallible and that caution is essential in choosing the AI models used.

In summary, this edition of the Stormcast highlights current threats and critical vulnerabilities that require immediate action. Whether securing web applications, patching popular frameworks like React, or verifying the security of AI models, vigilance and responsiveness are key. Attackers quickly exploit vulnerabilities as soon as they are made public, so defenders must remain constantly alert to protect their infrastructures.