Lisa Jackson, senior vice president of environment, policy and social initiatives at Apple Inc., speaks during the TechCrunch Disrupt 2017 in San Francisco, California, U.S., on Tuesday, Sept. 19, 2017.
David Paul Morris | Bloomberg | Getty Images
Apple’s general counsel, Kate Adams, and its vice president for environment, policy, and social initiatives, Lisa Jackson, will retire from Apple, the company announced on Thursday.
Apple said that Jennifer Newstead would become Apple’s new general counsel in March next year and that Jackson’s government affairs staff would report to her.
The two executives previously reported to Apple CEO Tim Cook and represent the latest sign that Apple’s senior leadership is seeing a slew of exits.
In recent weeks, Apple’s head software designer said he was leaving to go to Meta, Apple said that its AI chief was retiring, and Apple’s chief operating officer retired.
Adams joined Apple and became general counsel in 2017, and oversaw legal matters including litigation, global security, and the company’s privacy initiatives. Under Adams, Apple grappled with rising antitrust scrutiny and regulation around the world, including major lawsuits in the U.S. over the iPhone App Store’s restrictions and fees.
Jackson joined Apple in 2013, and led the company’s diversity programs as well as much of its policy work in Washington, D.C.
Prior to joining Apple in 2013, she spent four years as Administrator of the U.S. Environmental Protection Agency, a position she was appointed to by President Barack Obama.
Jackson is a Democrat, and her retirement shows a shift in Apple’s approach to Washington DC in the second Trump administration. Apple has faced increased tariffs from the Trump administration, and Cook has met with President Trump several times to tout the company’s American manufacturing plans in an effort to limit policy changes that could hurt the company.
She also led Apple’s environmental initiatives.
In her role, Jackson “focused on reducing greenhouse gases, protecting air and water quality, preventing exposure to toxic contamination, and expanding outreach to communities on environmental issues,” according to her bio on Apple’s website.
Jackson was instrumental in Apple’s launch of its Racial Equity and Justice Initiative following the 2020 murder of George Floyd.
She then helped expand the company’s equity and justice efforts to other countries, including the U.K., Mexico and New Zealand, according to a report on the initiative in 2023.
“At Apple, we pledge that our resolve will not fade,” Jackson wrote in a section of that report. “We won’t delay action. We will work, each and every day, on the urgent task of advancing equity.”
Jackson also accompanied Cook to several official functions in Washington, including state dinners.
Since 2019, Newstead, who will become Apple’s top lawyer, has overseen Meta’s legal and regulatory matters pertaining to its family of apps like Facebook, Instagram, WhatsApp and others.
Prior to her stint at the social media giant, Newstead served as a Trump-appointed legal advisor at the State Department during the president’s first administration in 2019.
Before that, she was a partner at Davis Polk & Wardell and a general counsel of the White House Office of Management and Budget, among other roles in the U.S. government.
This is breaking news. Please refresh for updates.
Up 5.1 Percent YTD in 2025 from Same Period in 2024
WASHINGTON, D.C. – The American Iron and Steel Institute (AISI) reported today that for the month of October 2025, U.S. steel mills shipped 7,692,319 net tons, a 9.2 percent increase from the 7,047,172 net tons shipped in October 2024. Shipments were down 4.2 percent from the 8,032,536 net tons shipped in the previous month, September 2025. Shipments year-to-date in 2025 are 76,425,069 net tons, up 5.1 percent vs. 2024 shipments of 72,731,187 net tons for ten months.
A comparison of shipments year-to-date in 2025 to the first ten months of 2024 shows the following changes: corrosion resistant sheet and strip, up 4 percent, hot rolled sheet and strip, unchanged and cold rolled sheet and strip, down 3 percent.
####
Contact: Lisa Harrison
202.452.7115 / lharrison@steel.org
AISI serves as the voice of the American steel industry in the public policy arena and advances the case for steel in the marketplace as the preferred material of choice. AISI’s membership is comprised of integrated and electric arc furnace (EAF) steelmakers, steel pipe and tube manufacturers and steel processors and fabricators, reflecting the production and distribution of both carbon and stainless steels. These steels are critical to America’s national and economic security, including roads and bridges, buildings, the electrical grid, cars and trucks and all clean energy technologies. AISI also represents associate members who are suppliers to or customers of the steel industry. For more news about steel and its applications, view AISI’s website at www.steel.org. Follow AISI on Facebook, LinkedIn, Twitter (@AISISteel) or Instagram.
The shortage is a lucrative opportunity – but the window is brief
AI computing workloads could consume around 500 terawatt-hours annually by 2027 – about twice the U.K.’s total electricity consumption in 2023.
Rising infrastructure costs and mounting capital constraints are deflating the AI boom. The hyperscalers can’t solve their computing problems fast enough, and that’s creating a rare arbitrage opportunity.
The solution right now isn’t building data centers. The current investment opportunity lies in the temporary gap between exploding AI demand and the physical constraints of centralized infrastructure expansion. A handful of companies are exploiting this window – which likely will be a 24-to-36- month opportunity. For investors who understand the timing, it’s a compelling hedge against the AI infrastructure bottleneck.
Physical barriers
40% of AI data centers will face power constraints by 2027.
AI’s limiting factor is no longer algorithms or data – it’s the brute-force physics of data-center expansion. Training large models demands tens of thousands of GPUs, dedicated networking and enormous power consumption. Gartner forecasts that 40% of AI data centers will face power constraints by 2027.
The math is brutally simple: AI computing workloads could consume around 500 terawatt-hours annually by 2027 – about twice the U.K.’s total electricity consumption in 2023. This demand spike is already showing up in the grid.
Dominion Energy (D), the biggest utility company in Virginia, nearly doubled its data-center power capacity under contract between July and December 2024, and the trend has persisted.
Even with Microsoft (MSFT), Alphabet (GOOG) (GOOGL), Amazon.com (AMZN) and Meta Platforms (META) spending a combined $370 billion on capex in 2025, they can’t build fast enough. Construction and commissioning typically take 12 to 36 months, but when you include permitting and power-grid build-outs, a full data-center project can stretch to three to six years.
Time and money
The economics are compelling during this shortage window
This time gap is the entire investment thesis.
When essential resources become expensive and concentrated, parallel markets emerge. We saw this with electricity co-ops in the early 20th century, independent oil producers during OPEC’s reign and broadband resellers in the early internet era.
With AI, the scarce resource is GPU computing. Several companies are building marketplaces that aggregate idle capacity – consumer GPUs, academic clusters, enterprise overstock – and resell it at a fraction of centralized data-center costs.
The economics for these companies are compelling during this shortage window:
Cost structure advantage: Alternative networks don’t finance data centers with debt. They pay participants directly for computing capacity through incentive structures, converting spare capacity into productive assets. The cost of scaling shifts from massive capex to distributed incentives.
Speed to market: While hyperscalers wait 18 to 36 months for new facilities, these networks can add capacity node by node, with no billion-dollar commitments up front.
Arbitrage pricing: These companies are capturing demand from the smaller labs, indie studios, emerging markets and others that are priced out of AWS GPU pricing but still need computing.
The catch? The explosive growth window is finite. These networks will remain viable alternatives even after constraints ease – serving cost-sensitive workloads, emerging markets and indie developers – but the opportunity for substantial investment gains compresses as growth normalizes and hyperscalers’ capacity comes online.
Read: AI data centers need juice. The next hot stocks give it.
How to play the computing shortage
Again, this isn’t a moonshot bet. It’s an infrastructure hedge with a defined window. Here are three approaches, ranked by risk profile:
Render Network: Aggregates idle GPU capacity from individuals and studios, reselling to the highest bidder for rendering and AI workloads. Think of it as Airbnb for GPUs – idle capacity that would otherwise sit dormant gets monetized, and users get computing at a fraction of data-center pricing. Rather than operating expensive data centers, Render pays a fraction of that cost to harvest capacity from thousands of computers.
io.net: Focuses on generic GPU computing for AI training and inference. The platform aggregates capacity from data centers, crypto miners and consumer hardware, creating a distributed alternative to centralized cloud providers. Its network is newer and more speculative than Render, but it’s capturing demand from AI startups that can’t afford or access hyperscaler GPU allocations.
Akash Network: Takes the concept broader, offering a marketplace for general cloud computing and storage beyond just GPUs. This positions it as infrastructure for the full stack, not just AI-specific workloads. Akash is a privately held company but it does have a tradeable crypto token, AKT. This is the highest-risk play in this category, but offers the most diversified exposure if decentralized computing extends beyond AI.
These are crypto token plays – not stocks
Before going further, understand what you’re actually buying. All three of these networks operate through native cryptocurrency tokens, not traditional equity. There is no stock ticker, no brokerage-account access and no public-equity wrapper for these businesses.
Direct exposure requires navigating cryptocurrency exchanges:
— Render Network (RENDER) trades on Coinbase, Binance and Kraken.
— is listed on select crypto exchanges such as Binance and Gate.io, with liquidity varying by venue and region.
— Akash Network (AKT) trades on Coinbase, Kraken and similar venues.
This means dealing with crypto custody – whether through exchange accounts or self-custody wallets – and accepting the regulatory uncertainty that comes with token investments. If you’re not comfortable with that infrastructure, this thesis won’t work for you.
For investors who prefer traditional equity exposure, the closest alternatives are second-order beneficiaries of the same capacity constraint:
— Data-center operators: Equinix EQIX, Digital Realty Trust DLR
— Power infrastructure: Dominion Energy, Duke Energy DUK, NextEra Energy NEE
But here’s the critical distinction: These publicly traded companies benefit from the shortage itself – not from the temporary arbitrage window created by aggregating idle distributed capacity. They’ll do well regardless of whether decentralized computing succeeds. What they won’t give you is direct exposure to the specific dislocation that is going on now.
Risk factors
Let’s be clear about what could go wrong with this arbitrage strategy:
Performance and reliability: Distributed GPU networks face inherent challenges with performance variance, latency and quality control. Enterprise customers paying for AI infrastructure demand reliability. If these networks can’t match centralized performance, the arbitrage doesn’t matter – customers won’t switch.
Security and compliance: Regulated industries won’t run sensitive workloads on unknown hardware scattered globally. These networks are limited to specific use cases where data sovereignty and compliance aren’t blockers.
Hyperscaler catch-up timeline: The base case assumes these constraints ease through 2027-’29 as new data centers and power infrastructure come online. If power constraints extend beyond 2029, the high-growth window for these companies stays open.
Regulatory uncertainty: Several of these networks operate in regulatory gray areas. If governments decide to regulate decentralized computing infrastructure, costs increase and flexibility decreases.
Crypto market contagion: These tokens trade on crypto exchanges and correlate with broader crypto markets. A bitcoin crash or crypto regulatory crackdown could affect these assets regardless of fundamentals.
The investment timeline
The window runs from early 2026 through 2027-’28, which is the core 24-to-36-month period. The broader infrastructure constraint lasts longer, but the outsized arbitrage compresses as hyperscalers come online. This aligns with the infrastructure constraint timeline I’ve been tracking, but extends beyond the initial shortage as power-grid limitations persist.
Q1 2026: Begin building positions as the 2027 power constraint window becomes consensus view. Dollar-cost average to smooth volatility.
Q2 2026-Q2 2027: Peak growth opportunity as AI demand continues accelerating while centralized capacity remains severely constrained. These networks capture maximum long-tail demand priced out of hyperscaler infrastructure.
Q3 2027-Q2 2028: Growth continues, but begins normalizing as new data centers come online and power-grid upgrades progress. Monitor hyperscaler capacity announcements closely – each major facility completion incrementally compresses the arbitrage.
Q3 2028-Q4 2029: Maturation phase. These networks settle into specialized roles – emerging markets, cost-sensitive workloads, indie developers. They remain viable businesses but growth normalizes.
It is important to understand that this isn’t a binary “it works until it doesn’t” thesis. It’s a maturation curve where networks transition from high-growth arbitrage plays to steady-state infrastructure alternatives.
The broader implication
If GPU aggregation networks prove they can deliver reliable computing at competitive prices during the 2026-’28 constraint period, they will establish legitimacy. Even if hyperscalers eventually recapture market share, these networks will have carved out niches in emerging markets, indie studios and cost-sensitive workloads.
Jennifer Newstead to join Apple as senior vice president, will become general counsel in March 2026
Kate Adams to retire late next year
Lisa Jackson to retire
CUPERTINO, CALIFORNIA Apple today announced that Jennifer Newstead will become Apple’s general counsel on March 1, 2026, following a transition of duties from Kate Adams, who has served as Apple’s general counsel since 2017. She will join Apple as senior vice president in January, reporting to CEO Tim Cook and serving on Apple’s executive team.
In addition, Lisa Jackson, vice president for Environment, Policy, and Social Initiatives, will retire in late January 2026. The Government Affairs organization will transition to Adams, who will oversee the team until her retirement late next year, after which it will be led by Newstead. Newstead’s title will become senior vice president, General Counsel and Government Affairs, reflecting the combining of the two organizations. The Environment and Social Initiatives teams will report to Apple chief operating officer Sabih Khan.
“Kate has been an integral part of the company for the better part of a decade, having provided critical advice while always advocating on behalf of our customers’ right to privacy and protecting Apple’s right to innovate,” said Tim Cook, Apple’s CEO. “I am incredibly grateful to her for the leadership she has provided, for her remarkable determination across a myriad of highly complex issues, and above all, for her thoughtfulness, her deeply strategic mind, and her sound counsel.”
“I am deeply appreciative of Lisa’s contributions. She has been instrumental in helping us reduce our global greenhouse emissions by more than 60 percent compared to 2015 levels,” said Cook. “She has also been a critical strategic partner in engaging governments around the world, advocating for the best interests of our users on a myriad of topics, as well as advancing our values, from education and accessibility to privacy and security.”
“We couldn’t be more pleased to have Jennifer join our team,” said Cook. “She brings an extraordinary depth of experience and skill to the role, and will advance Apple’s important work all over the world. We are also pleased that Jennifer will be overseeing both the Legal and Government Affairs organizations, given the increasing overlap between the work of both teams and her substantial background in international affairs. I know she will be an excellent leader going forward.”
“I have long admired Apple’s deep focus on innovation and strong commitment to its values, its customers, and to making the world a better place,” said Newstead. “I am honored to join the company and to lead an extraordinary team who are dedicated each and every day to doing what’s in the best interest of Apple’s users.”
“It has been one of the great privileges of my life to be a part of Apple, where our work has always been about standing up for the values that are the foundation of this great company,” said Adams. “I am proud of the good our wonderful team has done over the past eight years, and I am filled with gratitude for the chance to have made a difference. Jennifer is an exceptional talent and I am confident that I am leaving the team in the very best hands, and I’m really looking forward to working more closely with the Government Affairs team.”
“Apple is a remarkable company and it has been a true honor to lead such important work here,” said Jackson. “I have been lucky to work with leaders who understand that reducing our environmental impact is not just good for the environment, but good for business, and that we can do well by doing good. And I am incredibly grateful to the teams I’ve had the privilege to lead at Apple, for the innovations they’ve helped create and inspire, and for the advocacy they’ve led on behalf of our users with governments around the world. I have every confidence that Apple will continue to have a profoundly positive impact on the planet and its people.”
Newstead was most recently chief legal officer at Meta and previously served as the legal adviser of the U.S. Department of State, where she led the legal team responsible for advising the Secretary of State on legal issues affecting the conduct of U.S. foreign relations. She held a range of other positions in government earlier in her career as well, including as general counsel of the White House Office of Management and Budget, as a principal deputy assistant attorney general of the Office of Legal Policy at the Department of Justice, as associate White House counsel, and as a law clerk to Justice Stephen Breyer of the U.S. Supreme Court. She also spent a dozen years as partner at Davis Polk & Wardwell LLP, where she advised global corporations on a wide variety of issues. Newstead holds an AB from Harvard University and a JD from Yale Law School.
About Apple
Apple revolutionized personal technology with the introduction of the Macintosh in 1984. Today, Apple leads the world in innovation with iPhone, iPad, Mac, AirPods, Apple Watch, and Apple Vision Pro. Apple’s six software platforms — iOS, iPadOS, macOS, watchOS, visionOS, and tvOS — provide seamless experiences across all Apple devices and empower people with breakthrough services including the App Store, Apple Music, Apple Pay, iCloud, and Apple TV. Apple’s more than 150,000 employees are dedicated to making the best products on earth and to leaving the world better than we found it.
WASHINGTON, Dec. 4, 2025 /PRNewswire/ — Vanda Pharmaceuticals Inc. (Nasdaq: VNDA) today announced that the U.S. Food and Drug Administration (FDA) has lifted the partial clinical hold on protocol VP-VLY-686-3403, which until today limited the protocol to a maximum of 90 doses of tradipitant.
The lift followed Vanda’s formal dispute resolution request and an expedited re-review conducted by CDER leadership under the collaborative framework established between Vanda and the FDA in October 2025.
The FDA agreed with Vanda’s position that motion sickness is an acute, self-limiting physiologic response rather than a chronic or chronic-intermittent condition. The Agency therefore concluded that the use of tradipitant in motion sickness represents an acute, event-driven therapy, eliminating the need for an additional six-month dog toxicity study and rendering the partial clinical hold unnecessary.
This decision allows Vanda to extend clinical studies of tradipitant in motion sickness. Separately, the ongoing review of the pending, fully completed New Drug Application for tradipitant for the prevention of vomiting induced by motion remains on track, with a PDUFA target action date of December 30, 2025, positioning tradipitant as potentially the first new pharmacologic treatment for motion sickness in over 40 years.
“The swift and favorable resolution of this issue highlights the effectiveness of our collaborative framework with the FDA,” said Mihael H. Polymeropoulos, M.D., President and CEO of Vanda. “We thank the Agency for its thorough and expedited scientific review and look forward to continued constructive dialogue.”
About Vanda Pharmaceuticals Inc.
Vanda is a leading global biopharmaceutical company focused on the development and commercialization of innovative therapies to address high unmet medical needs and improve the lives of patients. For more on Vanda Pharmaceuticals Inc., please visit www.vandapharma.com and follow us on X @vandapharma.
About Tradipitant
Tradipitant is a neurokinin-1 receptor antagonist licensed by Vanda from Eli Lilly and Company. Tradipitant is currently in clinical development for a variety of indications, including gastroparesis, motion sickness, and the prevention of nausea and vomiting induced by GLP-1 receptor agonists.
Various statements in this press release, including, but not limited to statements regarding Vanda’s further clinical development plans for tradipitant, Vanda’s pursuit of FDA approval of tradipitant for the prevention of vomiting induced by motion, the potential commercialization of tradipitant for such indication, and Vanda’s future interactions with the FDA are “forward-looking statements” under the securities laws. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. Forward-looking statements are based upon current expectations and assumptions that involve risks, changes in circumstances and uncertainties. Important factors that could cause actual results to differ materially from those reflected in Vanda’s forward-looking statements include, among others, the FDA’s ability to complete its review of the NDA for tradipitant for the prevention of vomiting induced by motion by December 30, 2025, the FDA’s assessment of the evidence supporting the safety and efficacy of tradipitant for the prevention of vomiting induced by motion, and the ability of the FDA and Vanda to continue to work together collaboratively. Therefore, no assurance can be given that the results or developments anticipated by Vanda will be realized, or even if substantially realized, that they will have the expected consequences to, or effects on, Vanda. Forward-looking statements in this press release should be evaluated together with the various risks and uncertainties that affect Vanda’s business and market, particularly those identified in the “Cautionary Note Regarding Forward-Looking Statements”, “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” sections of Vanda’s most recent Annual Report on Form 10-K, as updated by Vanda’s subsequent Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and other filings with the U.S. Securities and Exchange Commission, which are available at www.sec.gov.
All written and verbal forward-looking statements attributable to Vanda or any person acting on its behalf are expressly qualified in their entirety by the cautionary statements contained or referred to herein. Vanda cautions investors not to rely too heavily on the forward-looking statements Vanda makes or that are made on its behalf. The information in this press release is provided only as of the date of this press release, and Vanda undertakes no obligation, and specifically declines any obligation, to update or revise publicly any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law.
Corporate Contact: Kevin Moran Senior Vice President, Chief Financial Officer and Treasurer Vanda Pharmaceuticals Inc. 202-734-3400 [email protected]
Jim Golden / Jack Kelleher / Dan Moore Collected Strategies [email protected]
This fuel will be used for the Project Pele microreactor being developed through a collaboration among the three parties (alongside the Department of Energy) and represents a major milestone for the project. As Jeff Waksman, Principal Deputy Assistant Secretary of the Army for Installations, Energy and Environment, put it, “This is real nuclear microreactor fuel delivered at its final destination, rather than some letter or memorandum promising to make fuel at a later date.”
More details: According to INL—and despite announcements coming out this week—the 40,000 fuel compacts that made up the shipment were delivered on November 5 (a video of the delivery is available here). BWXT manufactured and shipped the fuel from its facilities in Lynchburg, Va., where the company is also constructing the prototype reactor.
BWXT plans to begin formal system testing as early as 2027 and begin producing electricity at INL as soon as 2028.
While the SCO is leading Project Pele, INL director John Wagner highlighted how instrumental the DOE network has been in facilitating this project, saying, “This milestone reflects years of dedicated effort by the Office of Nuclear Energy’s Advanced Gas Reactor TRISO Fuel Qualification Program to fabricate and qualify TRISO fuel using world-class capabilities at INL’s Advanced Test Reactor and Materials and Fuels Complex, and Oak Ridge National Laboratory—capabilities that exist nowhere else in the world.”
Pele background: In May 2019, the Nuclear Regulatory Commission, DOE, and SCO signed a preliminary MOU on microreactor research laying the groundwork for Project Pele. The original goal of the project was to develop a transportable 1–5 MWe advanced microreactor.
In March 2020, the DOD awarded contracts for three projects under Pele: one to BWXT, one to Westinghouse, and one to X-energy. BWXT emerged as the frontrunner in the project with its 1.5-MWe high-temperature, gas-cooled reactor.
In August 2023 (in a webinar organized by the American Nuclear Society), Waksman said that if all went according to plan, the reactor would be turned on at INL before the end of calendar year 2025. The new operational date of 2028 represents a three-year delay in prior plans but still aims to meet a September 30, 2028, deadline set by President Trump’s Executive Order 14299.
In September 2024, the DOD announced that it had broken ground at INL’s Critical Infrastructure Test Range Complex, where the reactor is set to be tested. In July 2025, BWXT announced that it had started fabrication on the Pele reactor core.
Janus tie-in: Project Pele—of course— is not the only nuclear power–related undertaking of the DOD or the broader federal government. Most directly related is the recently announced Janus Program, which seeks to deploy an operational demonstration microreactor power plant on a U.S. military installation by 2030. The DOD has stated that Janus will build on lessons learned from Pele and that the “laboratory teams which partnered on the technical, legal, and policy aspects of Project Pele will also be working closely on the Janus Program.”
Waksman reiterated this most recently in BWXT’s announcement, saying, “the army’s Janus Program will follow on to deliver affordable, reliable, commercial nuclear power to ensure that our critical infrastructure has power, even if the electric grid is disrupted.” In November, nine sites were selected for possible deployment as part of the program.
Don’t forget ANPI: Project Pele and the Janus Program are running parallel to the DOD’s separate Advanced Nuclear Power for Installations (ANPI) program, which was launched in 2024 to deploy microreactor systems at military sites. At the launch of the program, the DOD aimed to have two microreactors operational on military bases by 2030. In April of this year, the DOD announced eight companies that are eligible to receive Other Transaction Awards for the project.
At this year’s annual conference of the Association of the U.S. Army, Waksman reportedly said that Janus will differ from ANPI by virtue of having different technical requirements, reflecting recent changes in the nuclear power market, including new companies that have emerged since last year.
Russian authorities blocked access to Snapchat and imposed restrictions on Apple’s video calling service FaceTime, the latest step in an effort to tighten control over the internet and communications online, according to state-run news agencies and the country’s communications regulator.
State internet regulator Roskomnadzor alleged in a statement that both apps were being “used to organize and conduct terrorist activities on the territory of the country, to recruit perpetrators (and) commit fraud and other crimes against our citizens.” Apple did not respond to an emailed request for comment, nor did Snap Inc.
The Russian regulator said it took action against Snapchat 10 October, even though it only reported the move on Thursday. The moves follow restrictions against Google’s YouTube, Meta’s WhatsApp and Instagram, and the Telegram messaging service, itself founded by a Russian-born man, that came in the wake of Vladimir Putin’s invasion of Ukraine in 2022.
Under Vladimir Putin, authorities have engaged in deliberate and multi-pronged efforts to rein in the internet. They have adopted restrictive laws and banned websites and platforms that don’t comply. Technology also has been perfected to monitor and manipulate online traffic.
Access to YouTube was disrupted last year in what experts called deliberate throttling of the widely popular site by the authorities. The Kremlin blamed YouTube owner Google for not properly maintaining its hardware in Russia.
While it’s still possible to circumvent some of the restrictions by using virtual private network services, those are routinely blocked, too.
Authorities further restricted internet access this summer with widespread shutdowns of cellphone internet connections. Officials have insisted the measure was needed to thwart Ukrainian drone attacks, but experts argued it was another step to tighten internet control. In dozens of regions, “white lists” of government-approved sites and services that are supposed to function despite a shutdown have been introduced.
The government also has acted against popular messaging platforms. Encrypted messenger Signal and another popular app, Viber, were blocked in 2024. This year, authorities banned calls via WhatsApp, the most popular messaging app in Russia, and Telegram, a close second. Roskomnadzor justified the measure by saying the two apps were being used for criminal activities.
At the same time, authorities actively promoted a “national” messenger app called Max, which critics see as a surveillance tool. The platform, touted by developers and officials as a one-stop shop for messaging, online government services, making payments and more, openly declares it will share user data with authorities upon request. Experts also say it does not use end-to-end encryption.
Earlier this week, the government also said it was blocking Roblox, a popular online game platform, saying the step aimed at protecting children from illicit content and “pedophiles who meet minors directly in the game’s chats and then move on to real life.” Roblox in October was the second most popular game platform in Russia, with nearly 8 million monthly users, according to media monitoring group Mediascope.
skip past newsletter promotion
after newsletter promotion
Stanislav Seleznev, cyber security expert and lawyer with the Net Freedom rights group, said that Russian law views any platform where users can message each other as “organizers of dissemination of information”.
This label mandates that platforms have an account with Roskomnadzor so that it could communicate its demands, and give Russia’s security service, the FSB, access to accounts of their users for monitoring; those failing to comply are in violation and can get blocked, Seleznev said.
Seleznev estimated that possibly tens of millions of Russians have been using FaceTime, especially after calls were banned on WhatsApp and Telegram. He called the restrictions against the service “predictable” and warned that other sites failing to cooperate with Roskomnadzor “will be blocked – that’s obvious”.
On Dec. 3, 2025, researchers publicly disclosed critical remote code execution (RCE) vulnerabilities in the Flight protocol used by React Server Components (RSC). These vulnerabilities are tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), which have been assigned a maximum severity rating of CVSS 10.0.
The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests. Testing indicates the exploit has near-100% reliability and requires no code changes to be effective against default configurations. There have been no reports of exploitation in the wild as of Dec. 3, 2025.
React is heavily implemented in enterprise environments, used by roughly 40% of all developers, while Next.js is used by approximately 18%-20%. This makes it the leading server-side framework for the React ecosystem.
Palo Alto Networks Cortex Xpanse has identified the presence of over 968,000 React and Next.js instances in our telemetry.
These vulnerabilities impact the React 19 ecosystem and frameworks that implement it. Specifically, they affect the following versions:
React: Versions 19.0, 19.1, and 19.2
Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0
Other frameworks: Any library bundling the react-server implementation, including React Router, Waku, RedwoodSDK, Parcel and Vite RSC plugins
Palo Alto Networks customers receive protections from and mitigations for CVE-2025-55182 and CVE-2025-66478 in the following ways:
Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.
Palo Alto Networks also recommends upgrading to the following hardened versions immediately:
React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5
The Unit 42 Incident Response team can be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
Details of the Vulnerabilities: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js)
CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) are classified as Critical (CVSS 10.0) and are caused by insecure deserialization within the RSC architecture, specifically involving the Flight protocol.
The vulnerabilities reside in the react-server package and its implementation of the RSC Flight protocol. It is a logical deserialization flaw where the server processes RSC payloads safely.
When a server receives a specially crafted, malformed HTTP payload (typically through data delivered in a POST request), it fails to correctly validate the structure of the data. Because of this insecure deserialization, the server allows attacker-controlled data to influence server-side execution logic.
This results in RCE, allowing an attacker to execute arbitrary privileged JavaScript code on the server.
Attack Vector and Exploitability
Attack complexity: The attack complexity is low. It requires no user interaction and no privileges (unauthenticated).
Target endpoints: The attack targets React Server Function endpoints.
Critical nuance: Even if an application does not strictly implement or use React Server Functions, it remains vulnerable if the application supports React Server Components generally.
Reliability: Testing has shown the exploit has near-100% reliability.
Default configuration: The vulnerabilities are present in default configurations. For example, a standard Next.js application created with create-next-app and built for production is exploitable without any code changes by the developer.
Specific Affected Components
While generally described as affecting React and Next.js, the vulnerabilities technically exist within specific underlying packages that handle server-side rendering and module loading.
Affected Packages
The vulnerabilities are present in versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 of the following packages:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Affected Framework Implementations
Any framework bundling these packages is affected:
Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0-canary.77
Other ecosystems: React Router, Waku, RedwoodSDK, Parcel and the Vite RSC plugin are all affected if they use the vulnerable React packages
Interim Guidance
Required actions: Immediate patching is the only definitive mitigation.
Engineering and security teams should upgrade to the following hardened versions immediately:
React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5
For the latest updates on these vulnerabilities, please see the documentation provided by each respective vendor:
Unit 42 Managed Threat Hunting Queries
The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation.
The following hunting queries are not high-fidelity detections and should be investigated to determine whether the web server operates vulnerable React Server Components.
// Description: File operations targeting potentially sensitive files or indications of exploitation of CVE-2025-55182
// Caveat 1: Next.js may still be running if a custom server.js is in use, as such the filtering of ‘actor_process_command_line contains “.next”‘ restricts the results to ‘standard’ Next.js deployment and if not overly noisy we recommend running the query without it too.
// Caveat 2: Vulnerable React Server Component (RSC) endpoints may be served by a wider range of JavaScript runtimes than just NodeJS (such as Bun or Deno) and we recommend re-executing the queries targeting these runtimes if they are used in your environment.
// Description: Identifies a Node.js process directly spawning common system reconnaissance tools to gather user, network, or process information.
// Caveat: May be prone to false positives. Investigate hits within the context of a NodeJS server running a version of React with vulnerable React Server Components
|comp count_distinct(action_process_image_name)asnum_procs,values(action_process_image_command_line)asaction_process_image_command_line by agent_hostname,actor_process_image_name,actor_process_command_line,action_process_image_name
|filter num_procs>1
// Description: Identifies a specific causality chain where Node.js spawns a shell (cmd/bash/powershell), which subsequently spawns a downloader (curl/wget).
The critical distinction of these vulnerabilities is their nature as a deterministic logic flaw in the Flight protocol, rather than a probabilistic error. Unlike memory corruption bugs that may fail, this flaw guarantees execution, transforming it into a reliable system-wide bypass for attackers. Amplified by the massive footprint of Next.js in enterprise environments, this creates a direct conduit to sensitive internal data.
Ultimately, this incident underscores the inherent friction between performance and security in modern architecture. While React Server Components optimize data fetching and search engine optimization (SEO) by moving logic closer to the source, they simultaneously move the attack surface closer to organizations’ most sensitive and valuable data.
Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.
Palo Alto Networks Product Protections for CVE-2025-55182 and CVE-2025-66478
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 000 800 050 45107
Cortex XDR and XSIAM
Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.
