The Recent 0-Days in Node.js and React Were Found by an AI (winfunc.com)

An AI system has autonomously identified zero-day vulnerabilities in Node.js and React, significant frameworks in JavaScript development. Discovered in late 2025 and early 2026, these exploitable flaws, which have since been assigned CVE identifiers, demanded immediate patches from their respective core teams. In Node.js, a vulnerability related to the Permission Model allowed unauthorized access via Unix Domain Sockets, bypassing security restrictions intended to safeguard against untrusted code execution. This flaw enables attackers to interact with local services like Docker and databases, potentially leading to privilege escalation and data breaches. Meanwhile, React's vulnerability in its Server Components can be manipulated through crafted HTTP requests, resulting in denial-of-service attacks by causing infinite loops or unbounded memory allocation. The significance of these discoveries lies in the demonstration of AI's potential to perform comprehensive security research tasks traditionally requiring human expertise. By understanding the codebase semantics and modeling threats, this AI system autonomously generated hypotheses, created working exploits, and verified their impacts. This represents a major advancement over conventional static application security testing tools, which often rely on predefined vulnerability patterns and lack contextual awareness. The implications for the AI/ML community are profound; this illustrates AI's evolving role in cybersecurity, combining code analysis with innovative threat modeling to uncover vulnerabilities previously unrecognized by traditional methods.