MalaGIS

Sharing GIS Technologies, Resources and News.

It's Friday, are you starting to slack off and prepare for the weekend? Hold on, just yesterday (December 3, 2025), React official and the Next.js team jointly disclosed a Critical-level security vulnerability. This is not just an ordinary bug, but a 'nuclear-level' vulnerability that allows unauthorized remote code execution (RCE). If your WebGIS project uses Next.js or React 19, please investigate promptly. This vulnerability is extremely dangerous and could lead to further data leakage risks.

Vulnerability Details

Vulnerability ID: CVE-2025-55182 (React) / CVE-2025-66478 (Next.js)

Affected Scope: As long as your project has React Server Components (RSC) enabled, even if you think you haven't written any backend logic, you could be affected.

Severity Level: CVSS 10.0 (maximum score) — This means attackers can execute arbitrary code on your Node.js server without logging in or performing complex operations, just by sending a carefully crafted HTTP request.

Affected Versions:

• React: 19.0.0 to 19.2.0
• Next.js: 15.x, 16.x, and versions after 14.3.0-canary.77

more >>

During a casual chat in the MalaGIS WeChat group, someone asked when GIS skills become most useful in daily life. Answers ranged from food delivery route optimization to travel planning, but the most insightful response was "assessing location (including Feng Shui) for property purchases". Among factors like sunlight access—a critical yet often overlooked parameter—most standard map apps fail to provide this data, requiring specialized GIS software (refer to methods in "ArcGIS 3D Handbook: Sunlight and 3D Path Analysis"). Recently, I discovered an online WebGIS application that simulates sunlight and shadows for any global location at any date—an excellent tool worth sharing.

Official site: https://shademap.app/

ShadeMap enables browser-based simulation of mountain, building, and tree shadows at any global coordinate for customizable dates/times. Users achieve precise, interactive sunlight and shadow analysis without client installations.

more >>

Three months ago, during preparations for a leadership inspection of our WebGIS dashboard project (arguably its most critical application), our project manager urgently contacted me the night before: "XXX, emergency! The basemap's peripheral elements on the GIS dashboard have disappeared—only data remains visible!"

Reluctantly accessing the system, I discovered the dynamic visualizations had vanished. Console errors revealed resource loading failures traced to our CDN service. Checking my personal CDN account (used due to small company scale), I found payment overdue—promptly recharging 200 CNY.

A month later, while debugging new features, CDN errors recurred. Initially attributing this to post-exhibition traffic spikes (even boasting about "high system usage" to my manager), I recharged another 200 CNY.

When another billing alert arrived just weeks later—despite the exhibition ending months prior—abnormal traffic patterns became undeniable.

Initial Investigation

Qiniu Cloud's backend revealed alarming patterns:

more >>