We are committed to user transparency, so this provides an account of our response to a third-party security vulnerability. We are committed to keeping our users informed about events that may affect their trust in our platform regardless if they are affected.
On December 3, 2025, Vercel disclosed a zero-day vulnerability (CVE-2025-55182) affecting applications built on their platform. This vulnerability could allow attackers to execute arbitrary code on user machines through malformed URLs containing bash or PowerShell commands.
On December 5, 2025, our security team detected an attempted exploitation of this vulnerability targeting Carpathian infrastructure. Our layered defense systems responded effectively, and we are providing this update in the interest of transparency for our users.
About The Incident
Our security architecture performed as designed. While the initial perimeter firewall did not block the request, our host-based firewalls successfully blocked the malicious script from establishing communication with external command-and-control servers. This prevented any payload from being downloaded or executed.
No passwords, usernames, emails, addresses, or other personally identifiable information was accessed or exfiltrated. Carpathian services remained fully operational with zero downtime. CynosSecure continues to monitor all user environments and hypervisors around the clock.
What This Means for Carpathian
This incident reinforces the value of our defense-in-depth approach. Each of our software products maintains strict isolation between frontend and backend systems, with additional separation across platforms. We remain committed to ensuring all systems handling user information are properly segmented and secured.
What This Means for Users
No action is required at this time. Your account remains secure, and no personal information was compromised. That said, we always recommend enabling multi-factor authentication as an added layer of protection for your account.
Questions
Was any personally identifiable information accessed?
No. Our backend services operate on isolated infrastructure. Even in a scenario where attackers could scan and exfiltrate data from the affected system, no user, company, or sensitive information resides there.
What information was exposed?
The attackers accessed system-level server user lists and SSH directories on the compromised system. These contain only internal service account information, not Carpathian customer usernames or credentials, and do not contain any information related to Carpathian infrastructure or user environments.
Do I need to reset my password?
No. Our databases are encrypted and passwords are hashed. The system that was targeted does not host any user information.
For additional questions, please contact us at info@carpathian.ai.
Read the release here: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
