Sign in Subscribe

Open-source vulnerabilities & why you should care

Emanuil S.

3 min read
Open-source vulnerabilities & why you should care

Why you should care

Vulnerabilities happen all the time, and they’re always a risk to both individual users and entire, global infrastructures.

According to this report by DeepStrike, there are over 130 new exploits being found each day, with around an estimated 50,000 for just 2025 alone.

A significant portion of them are already seen as or anticipated to be high priority. 

As for the risk itself, the World Economic Forum reports that: “49% of public-sector organizations [indicate] they lack the necessary talent to meet their cybersecurity goals – an increase of 33% from 2024.”

While one of the biggest benefits of open-source is that its code can always be audited — reducing the risk of malicious intent in that sense — it also leaves you fully exposed when vulnerabilities emerge.

In fact, vulnerabilities are at the top of both OWASP and Sprinto’s assessments of open-source software risks.

Want more dire news?

Again from the OWASP article:

  • “89% of codebases contain OSS that is more than 4 years out of date”
  • “91% of codebases contain components that have had no new development in over two years”

Here’s why we’re talking about this.

What happened?

What’s React2Shell?

Around November 29th, a security researcher named Lachlan Davidson discovered a vulnerability in a React Server Components protocol. 

This was communicated to Meta, who were able to patch it the same day. 

It was made public on December 3rd.

This vulnerability is so severe that a malicious actor can run any code they wish on your server (known as remote code execution).

They can:

  • Take ownership of your servers
  • Gain access to the entirety of your sensitive data
  • Perform operations as if they were you
  • Delete or encrypt your data, demanding ransom
  • Mine crypto

All without being caught; all while surviving restarts.

All it took was one message — from anywhere.

And boom. Full control.

For this reason, the vulnerability received a CVSS score of 10.0 — the absolute highest, reserved only for the most severe vulnerabilities.

This vulnerability’s tracking number was “CVE-2025-55182,” but it quickly came to be known as React2Shell.

At this moment, there are many, many servers still vulnerable.

According to The Shadowserver Foundation, there may be over 640,000 domains still at risk as of December 9th.

How can open-source developers stay ahead of threats?

Really, you have four options.

I. Tackle things yourself.

To make this work, you need to always be vigilant and patch things personally.

That comes with significant risks.

As you’re just one person, you may struggle between supporting and patching your open-source project.

And as we already covered, there are hundreds of new vulnerabilities discovered each day.

Even trying to fix a few of them on your own could make you prone to attacks for months.

If you choose this route, though, we highly recommend checking your dependencies with Dependabot.

II. Employ a dedicated team

Having an entire, dedicated team might be a bit more realistic. 

However, that also comes with its own challenges.

For one, they might need to understand entirely new, complex areas of expertise to patch each occurrence. 

And employing an entire team just to support your open-source software? That can be both expensive and defeat the entire purpose of using open-source software.

III. Hire outsourced contractors

This is perhaps the most realistic option of the three. 

Take care of your own project, then contact an external service when needed — a good balance between having access to experts and not keeping them on payroll outside of when they’re needed.

But this is still a significant financial investment, and still defeats the purpose of using open-source software.

The fourth option is the one we’re most confident in.

IV. Use a SaaS solution

No solution is perfect, and no one approach will keep you 100% secure at all times.

That’s just not possible.

However, one approach that combines the strengths of all previous solutions while addressing their weak points, is using a SaaS solution.

Here’s why:

  1. It frees you from having to patch vulnerabilities yourself
  2. It offloads the responsibility to someone else
  3. It comes at a fraction of the cost of hiring experts

But saying that, we want to make one thing clear.

This isn’t a marketing thing

We offer Rocketadmin as an open-source project for a reason.

We believe in opening our work to everyone — regardless of location, use case, goals, or financial resources.

And we’re always excited to see what new developers can do with our codebase.

However, once you go open-source, it’s all up to you.

We’re not offering a perfect solution, but we are offering flexibility. Just like our admin panel itself, you can do whatever you choose with Rocketadmin.

What we want to ultimately provide is a choice — complete openness and complete control versus security and support.

What you decide is entirely up to you, and we don’t want to influence you either way.

That choice is our business model.

Whatever you choose, just promise us you’ll stay safe out there.

Sign up for more like this.

Enter your email
Subscribe