DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

CVSS 10.0 in 24 Hours: How We Respond to World-Breaking Zero Days

Patrick Duggan
Dec 4, 2025
4 min read

--- title: "CVSS 10.0 in 24 Hours: How We Respond to World-Breaking Zero Days" slug: cvss-10-react-zero-day-24-hour-response date: 2025-12-04 author: Patrick Duggan tags: [security, zero-day, react, cve-2025-55182, incident-response, devops] category: Security Tips featured: true ---

The Hook

December 3rd, 2025. A CVSS 10.0 drops. Maximum severity. Remote code execution. Unauthenticated.

The vulnerable technology? React Server Components. The same React that powers half the internet.

571,249 public servers. 39% of cloud environments. All vulnerable.

24 hours later, DugganUSA was patched. Both services. Zero downtime.

Here's how.

The Vulnerability: CVE-2025-55182

Codename: React2shell CVSS Score: 10.0 (Maximum) Type: Deserialization RCE in React Server Components

What Happened

The React "Flight" protocol - the magic that makes Server Components work - had an insecure deserialization vulnerability. An attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized, achieves arbitrary JavaScript execution on the server.

Default configurations were vulnerable. A standard `create-next-app` build could be exploited with zero code changes. Just a crafted HTTP request.

Affected Versions

| Package | Vulnerable | Fixed | |---------|-----------|-------| | react | 19.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 | | next | Multiple versions | Patched same day | | react-router | Affected | Patched | | waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk | Affected | Check updates |

Scale of Impact

• 571,249 public servers using React components (Shodan)

• 444,043 public servers using Next.js

• 39% of cloud environments vulnerable (Wiz data)

This wasn't a niche vulnerability. This was "holy shit, the internet is on fire."

Our Response Timeline

| Time | Event | |------|-------| | Dec 3, ~10:00 UTC | CVE-2025-55182 publicly disclosed | | Dec 3, afternoon | Patrick patches security-dashboard (DRONE) | | Dec 4, 09:30 CST | Claude patches analytics-dashboard (BRAIN) | | Dec 4, 09:30 CST | `npm update react react-dom` (6 seconds) | | Dec 4, 09:31 CST | Build complete (2.83 seconds) | | Dec 4, 09:31 CST | Docker image pushed (7.6 seconds) | | Dec 4, 09:32 CST | Azure deployment complete | | Total | < 24 hours from disclosure |

While 39% of cloud environments remained vulnerable, we were done.

Why We Were Fast

1. Architecture Matters

Our dashboard uses Vite + client-side React. No React Server Components. No Server Functions. The vulnerability technically didn't affect us in production.

But we patched anyway. Why?

• Defense in depth

• Dependency scanning flags "vulnerable version"

• SOC2 auditors don't care about "technically not affected"

• Future code might add RSC

Lesson: Patch even when you think you're not affected.

2. Automated Dependency Monitoring

We run Dependabot on everything. The moment a CVE hits the NVD, we know. Our daily security reports flag it. Judge Dredd blocks deploys of known-vulnerable code.

3. Simple Infrastructure

Two services. Both containerized. Both deployed via `./build-and-push.sh`. No complex rollout strategies. No change advisory boards. No 47-person approval chains.

npm update react react-dom  # 6 seconds
npm run build               # 2.83 seconds
./build-and-push.sh         # 7.6 seconds
az containerapp update      # 30 seconds

Total technical work: under 1 minute.

4. Human + AI Partnership

Patrick patched DRONE. Claude patched BRAIN. In parallel. No coordination meeting required.

This is the Butterbot model: human decides strategy, AI executes at machine speed.

The Industry Response

The Good

• Cloudflare: WAF rules deployed same day, all customers protected automatically

• Akamai: Adaptive Security Engine rules deployed same day

• React team: Patch released same day as disclosure

The Concerning

Per Wiz: 39% of cloud environments still vulnerable as of December 4th.

That's not a technology problem. That's an organizational problem. Somewhere, a change management process is blocking a one-line dependency update while attackers are crafting exploits.

What This Means for Your Organization

If You're Still Vulnerable

1. Stop reading this blog post 2. Run `npm update react react-dom` 3. Deploy 4. Come back and finish reading

Seriously. Go. Now.

If You're Behind Cloudflare/Akamai WAF

You're protected at the edge, but patch anyway. WAF rules are a band-aid, not a cure. WAF bypass techniques exist. Defense in depth.

If You "Don't Use Server Components"

Audit your codebase. Are you sure? Did a junior dev add one "use server" directive you don't know about? Did a dependency add RSC support?

When in doubt, patch.

Process Beats Panic

This wasn't luck. This was process:

1. Monitoring: Know when CVEs drop (Dependabot, NVD feeds, security blogs) 2. Assessment: Quickly determine if you're affected (< 5 minutes) 3. Remediation: Simple deployment pipeline (< 5 minutes) 4. Verification: Confirm patch applied (< 1 minute)

Total time: Under 15 minutes of human attention.

• Security team has to file a ticket

• Dev team has to prioritize the ticket

• Change management reviews the change

• QA runs a full regression suite

• Release management schedules a window

• ...3 weeks later, still vulnerable

The Uncomfortable Truth

Speed is a security control.

Every hour you're not patched is an hour attackers have to develop exploits, scan for targets, and compromise systems.

A "thorough" 3-week patch cycle isn't thorough. It's a 3-week window of exposure.

For CVSS 10.0? That's unacceptable.

Our Security Posture

| Metric | Value | |--------|-------| | React version | 19.2.1 (patched) | | Time to patch | < 24 hours | | Downtime | Zero | | Services affected | 0 (but patched anyway) | | WAF protection | Cloudflare (additional layer) |

Resources

• [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)

• [Cloudflare WAF Response](https://blog.cloudflare.com/waf-rules-react-vulnerability/)

• [Wiz Technical Analysis](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)

• [The Register Coverage](https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/)

Final Thought

The question isn't "How do we respond to zero days?"

The question is "How do we build an organization where responding to zero days in 24 hours is boring and routine?"

Because that's what security looks like at scale.

*DugganUSA: Patched before breakfast.*

Tags: #security #zero-day #react #cve-2025-55182 #incident-response #devops

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]