Vulnerability Notice: Google Chrome, React & Next.js, Microsoft Windows and Android

Overview

Google Chrome contains a high-severity, use-after-free (UAF) vulnerability in its digital credentials component.  In other words, it is where the program uses memory it shouldn’t, and in this part of the software, the bug affects how digital credentials are handled. This flaw could allow a remote attacker who has compromised the renderer process to exploit heap corruption via a crafted HTML page.

• CVE-2025-13633: Google Chrome Digital Credentials Vulnerability (CVSSv3 8.8). Affected Versions: Prior to 143.0.7499.41

React and Next.js are popular frameworks used to build modern web applications.  React allows people to build the front-end of websites and Next.js provides a lot of features that React alone doesn’t include.  A critical vulnerability, known as React2Shell, affects React server components and Next.js. it enables unauthenticated remote code execution in default Next.js apps and is actively exploited in the wild.

• CVE-2025-55182: React2Shell Remote Code Execution (CVSSv3 10).
  • Affected Versions: React Server Components 19.0.0, 19.1.0, 19.1.1, 19.2.0; packages include react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
  • Other impacted platforms: Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, RedwoodSDK

Microsoft Windows has a vulnerability that allows attackers to execute arbitrary code when a user opens a malicious .LNK file or visits a crafted page. Hazardous content can be hidden from the user interface, making it difficult for users to detect malicious files.

• CVE-2025-9491: Microsoft Windows LNK File UI Misrepresentation (CVSSv3 7.8). Affected Versions: Windows 11 23H2 (Version 10.0.22631.4169 for x64)

Android has two actively exploited vulnerabilities in its framework component. These flaws enable attackers to access sensitive data and gain elevated permissions, potentially allowing installation of malicious apps or modification of system settings without user consent.

• CVE-2025-48633: Information disclosure (CVSSv3: High). Affected Versions: Android 13, 14, 15, 16.
• CVE-2025-48572: Privilege Escalation (CVSSv3: High). Affected Versions: Android 13, 14, 15, 16.

Recommended Action

Organisations and individuals are strongly advised to review the appropriate security advisory pages and apply the relevant patches or mitigations:

• Google Chrome - Chrome Releases: Stable Channel Update for Desktop
• React & Next.js - Critical Security Vulnerability in React Server Components – React
• Microsoft Windows - ADV25258226 - Security Update Guide - Microsoft - Microsoft Guidance on CVE-2025-9491 Windows LNK File UI Behavior
• Android - Android Security Bulletin—December 2025  |  Android Open Source Project