December showed a slight uptick compared to November. We recorded 89 unique vulnerabilities, up from 81 last month, and remediation efforts resulted in 74 patches. Interestingly, the number of vulnerable applications climbed to 50, reversing November’s sharp drop to 37. While activity didn’t reach October’s peak, December marked a modest rebound in both vulnerabilities and affected applications.
Notable vulnerabilities in December 2025 third-party patches
There are four vulnerabilities with known exploits: CVE-2025-14174, CVE-2025-55182, CVE-2025-14847 and CVE-2025-13223. All are listed in CISA’s Known Exploited Vulnerabilities Catalog.
First, React2Shell (CVE-2025-55182) is a critical vulnerability in the React Server Components (RSC) “Flight” protocol that impacts applications using RSC. An unauthenticated attacker can send a crafted HTTP request to execute code remotely. Any organization using RSC or frameworks that include RSC features such as Next.js, React Router in RSC mode, Waku, @parcel/rsc, @vitejs/plugin-rsc, or rwsdk is at risk. CVSS for vulnerability is at its maximum of 10, and its EPSS 0.505 is quite elevated. Remediation of this vulnerability should be the topmost priority for organizations. Multiple sources have further information on the topic of this vulnerability:
CVE-2025-14174 is an out-of-bounds memory access vulnerability in ANGLE (Almost Native Graphics Layer Engine) used by Google Chrome and other Chromium-based browsers. It has an 8.1 CVSS so it can be considered high severity with its impact abilities. And since it is an actively exploited vulnerability, it should be patched urgently. More information can be found in Google Releases and Edge release notes.
CVE-2025-13223 is once again a confusion vulnerability in V8 JavaScript and WebAssembly engine. If you wish to read more about Chromium V8 engine vulnerabilities, please check out my blog from November 2025. As I mentioned, this vulnerability is actively exploited in the wild, meaning it requires your immediate attention. Check Google Releases and CISA for more information.
CVE-2025-14847, also known as MongoBleed, allows an unauthenticated attacker to read uninitialized heap memory by sending malformed compressed packets. The CVSS base score for vulnerability is 8.7. EPSS is well elevated at 0.68. There are over 87,000 vulnerable MongoDB instances identified globally, and a proof-of-concept exploit exists. This vulnerability should be remediated as soon as possible. More information can be found on MongoDB.org and CISA.
Browser security updates in December 2025
Major browsers, including Google Chrome, Microsoft Edge, Brave, Mozilla Firefox (including ESR versions), Opera One, Vivaldi, and others received numerous security updates addressing various vulnerabilities.
| Browser | Vulnerabilities | Updates |
| Google Chrome | 18 | 3 |
| Microsoft Edge | 32 | 4 |
| Brave Browser | 18 | 3 |
| Mozilla Firefox | 15 | 2 |
| Mozilla Firefox 115 | 4 | 1 |
| Mozilla Firefox 140 | 10 | 1 |
| Opera One | 1 | 1 |
| Vivaldi | 13 | 1 |
| Waterfox | 10 | 1 |
Microsoft product updates included in December 2025 third-party patches
In addition to Edge, Microsoft issued security updates for several other products:
- Microsoft 365 Apps
- Microsoft Edge for Business
- Microsoft Visio
- Microsoft Project
- Microsoft Edge Beta
Detailed list of December 2025 third-party patches
For a complete list of applications, versions, and the number of remediated vulnerabilities, see the table below generated using Application Workspace data.
| Product Name | Version Name | Vulnerabilities remediated |
| Autodesk Revit 2025 | 2025.4.4 | 1 |
| Brave Browser | 1.85.116 | 3 |
| Brave Browser | 1.85.117 | 2 |
| Brave Browser | 1.85.111 | 13 |
| Burp Suite Community Edition | 2025.12.1 | 3 |
| Burp Suite Community Edition | 2025.12.2 | 2 |
| Burp Suite Community Edition | 2025.11.3 | 13 |
| Burp Suite Enterprise Edition | 2025.12 | 13 |
| Burp Suite Professional Edition | 2025.12.1 | 3 |
| Burp Suite Professional Edition | 2025.12.2 | 2 |
| Burp Suite Professional Edition | 2025.11.3 | 13 |
| Chef Workstation for Windows | 25.12.1102 | 12 |
| Coder | 2.28.6 | 1 |
| Coder | 2.27.9 | 1 |
| Coder | 2.29.1 | 1 |
| Docker Desktop | 4.54.0.212467 | 1 |
| Docker Desktop | 4.54.0 | 1 |
| EnterpriseDB Corporation PostgreSQL 14 | 14.20.2 | 2 |
| EnterpriseDB Corporation PostgreSQL 15 | 15.15.2 | 4 |
| EnterpriseDB Corporation PostgreSQL 16 | 16.11.2 | 2 |
| EnterpriseDB Corporation PostgreSQL 17 | 17.7.2 | 2 |
| EnterpriseDB Corporation PostgreSQL 18 | 18.1.2 | 2 |
| Erlang OTP | 28.3.0.0 | 3 |
| Foxit PDF Editor 2025 | 2025.3.0.69570 | 5 |
| Foxit PDF Reader | 2025.3.0.35737 | 5 |
| Google Chrome | 143.0.7499.146 | 2 |
| Google Chrome | 143.0.7499.147 | 2 |
| Google Chrome | 143.0.7499.110 | 3 |
| Google Chrome | 143.0.7499.109 | 3 |
| Google Chrome | 143.0.7499.41 | 13 |
| Google Chrome for Business | 143.0.7499.41 | 13 |
| Google Chrome for Business | 143.0.7499.147 | 2 |
| Google Chrome for Business | 143.0.7499.110 | 3 |
| Google Chrome for Education | 143.0.7499.147 | 2 |
| Google Chrome for Education | 143.0.7499.110 | 3 |
| Google Chrome for Education | 143.0.7499.41 | 13 |
| Google Go Programming Language | 1.24.11 | 2 |
| Google Go Programming Language | 1.25.5 | 2 |
| Headlamp | 0.39.0 | 1 |
| ImageGlass | 9.4.0.1120 | 5 |
| IntelliJ IDEA | 2025.3 | 1 |
| Microsoft 365 Apps | 2511 (Build 16.0.19426.20186) | 13 |
| Microsoft 365 Apps | 2502 (Build 16.0.18526.20672) | 13 |
| Microsoft 365 Apps | 2510 (Build 16.0.19328.20266) | 13 |
| Microsoft Edge Beta | 143.0.3650.66 | 14 |
| Microsoft Edge for Business | 143.0.3650.80 | 3 |
| Microsoft Edge for Business | 143.0.3650.96 | 2 |
| Microsoft Edge for Business | 143.0.3650.75 | 13 |
| Microsoft Edge for Business | 143.0.3650.66 | 14 |
| Microsoft Project | 2511 (Build 16.0.19426.20186) | 13 |
| Microsoft Visio | 2511 (Build 16.0.19426.20186) | 13 |
| MongoDB Community Edition 7.0 | 7.0.28 | 1 |
| MongoDB Enterprise Edition 7.0 | 7.0.28 | 1 |
| Mozilla Firefox | 146.0.1 | 2 |
| Mozilla Firefox | 146.0 | 13 |
| Mozilla Firefox ESR 115 | 115.31.0 | 4 |
| Mozilla Firefox ESR 140 | 140.6.0 | 10 |
| NoMachine | 9.3.7 | 2 |
| NoMachine Enterprise Client | 9.3.7 | 2 |
| NoMachine Enterprise Desktop | 9.3.7 | 2 |
| NoMachine Fonts 100dpi | 9.3.7 | 2 |
| NoMachine Fonts 75dpi | 9.3.7 | 2 |
| NoMachine Fonts Misc | 9.3.7 | 2 |
| NoMachine Fonts Others | 9.3.7 | 2 |
| Opera One | 125.0.5729.12 | 1 |
| pgAdmin 4 | 9.11 | 1 |
| Python 3.13 | 3.13.11 | 1 |
| Python 3.14 | 3.14.2 | 1 |
| Shotcut | 25.12.30 | 1 |
| TeamCity | 2025.11.1 | 2 |
| Vivaldi | 7.7.3851.58 | 13 |
| Waterfox | 6.6.6 | 10 |
| Wireshark | 4.4.12 | 2 |
Application management at the speed of your operations
Vulnerabilities move fast, especially in a distributed workforce. Discover how Application Workspace helps IT teams keep applications patched, compliant, and correctly configured, wherever work happens.
