Trust Center

Summary
OutSystems Security Team has completed the investigation of the Critical RCE Vulnerability in React and Next.js threat, CVE-2025-55182 and CVE-2025-66478. This vulnerability is related to Remote Code Execution (RCE) in React Server Components. OutSystems' Teams have validated their React code and assured that no react-server-xxx are used. The continuous monitoring of the OutSystems environment also confirmed that there is no vulnerability for the CVE-2025-55182.
At time of writing, CVE-2025-66478 (https://nvd.nist.gov/vuln/detail/CVE-2025-66478) is now marked as duplicate of CVE-55182.

Scope of Validation
Our assessment involved all react components used in both O11 and ODC platforms.

Current Status
No evidence of active exploitation detected
No confirmed vulnerable components identified within monitored scope
Continuous monitoring remains in effect as detection logic and intelligence evolve

Ongoing Monitoring
OutSystems Security continues and actively monitors our environment to make sure possible vulnerable code is not introduced and deployed to OutSystems environment.

Customer Action Required
No customer action is required at this time.

Additional Information
This advisory applies to both O11 and ODC within the OutSystems Platform. It does not extend to customer-managed extensions, third-party integrations, or customer-controlled infrastructure. If additional information is customers may contact OutSystems Support through standard channels.
For additional questions, customers may contact OutSystems Support through standard channels.

Summary
OutSystems Security has completed validation activities related to the publicly reported “Shai-Hulud 2.0” vulnerability campaign. Based on continuous monitoring and analysis across our monitored environments, OutSystems has not observed any indicators of compromise or known vulnerable components associated with this campaign as of 2025-12-02 15:44 UTC.

Scope of Validation
Our assessment and monitoring include the following security control surfaces:

• Source code repositories
• Container images and registries
• Deployed cloud workloads and exposed attack paths within our managed cloud environments

Current Status

• No evidence of active exploitation detected
• No confirmed vulnerable components identified within monitored scope
• Continuous monitoring remains in effect as detection logic and intelligence evolve

Ongoing Monitoring
OutSystems Security continues to actively monitor for updated indicators of compromise, exploit techniques, and upstream threat intelligence related to this campaign using both internal detection capabilities and third-party intelligence sources. If our risk posture changes, customers will be notified promptly through this portal.

Customer Action Required
No customer action is required at this time.

Additional Information
This advisory applies to all components within the OutSystems Platform. It does not extend to customer-managed extensions, third-party integrations, or customer-controlled infrastructure.

For additional questions, customers may contact OutSystems Support through standard channels.

Security Advisory: CVE-2025-55315 and OutSystems Developer Cloud (ODC)
Date: October 31, 2025
Severity: Medium (context-dependent)

Summary
A recent vulnerability (CVE-2025-55315) has been identified affecting certain versions of .NET, allowing potential HTTP request smuggling under specific conditions. We have evaluated the impact of this vulnerability on OutSystems Developer Cloud (ODC).

Platform Impact
The ODC Platform itself is not affected by CVE-2025-55315.

Customer Application Impact
ODC applications that include Custom Code or custom integrations built on top of .NET may be affected if they are using vulnerable .NET runtime versions. The level of exposure depends on the specific application implementation and hosting configuration.

Recommended Customer Actions
Confirm your application is using a supported and updated version of .NET.
If your application uses Custom Code actions or external libraries, ensure they are recompiled and deployed using the latest .NET security servicing release from Microsoft.
Follow Microsoft’s official guidance on the vulnerability and .NET patch availability:
https://msrc.microsoft.com/update-guide

OutSystems Guidance
OutSystems is monitoring vendor updates from Microsoft.
If further action is required on the platform side, we will communicate updates here.

Next Update
This advisory will be updated if new information becomes available or customer action requirements change.

We are aware of the ongoing Shai-Hulud self-propagating supply chain attack impacting compromised NPM packages, as reported in the security community.

Following a thorough review of our product lifecycle and software supply chain, we can confirm that the OutSystems Platform is not impacted. The impacted NPM packages and versions are not part of the OutSystems Platform by default. However, customers may have the ability to introduce custom code or integrations that leverage these NPM packages. We recommend that customers review their own environments and validate whether any of the compromised NPM packages are in use.

Our Security and Engineering teams will continue to monitor developments closely and provide updates on this page as needed.

Following a full analysis of ZenDesk logs and tickets, we confirmed that the threat actor only accessed a small amount of low-risk data, such as email addresses and names. This is consistent with what we found in our SalesForce analysis. No credentials or sensitive information were accessed, so no action is required from OutSystems or our customers at this time.

We'll continue to review other low-risk applications that were integrated with Drift during the incident. We don't anticipate finding any issues, but if we do, we'll notify affected customers immediately.

If you are a customer or partner looking to know if any names or email addresses in your organization were impacted by this incident, please have your DPO or Legal team reach out to dpo@outsystems.com

Summary of Security Incident
On September 4, 2025, we identified unauthorized access to our Drift integration with Salesforce, which may have exposed data in several of our internal systems. This incident did not affect OutSystems' customer environments, applications, or platform services.

What Happened

• Salesforce: A limited number of customer names and professional email addresses were exposed. The risk for this data is considered low. A limited number of stored credentials were also exposed, but they have since been revoked or rotated.
• Zendesk: We found indicators of data exfiltration. The primary risk here is if customers included sensitive data, like passwords or credentials, in support tickets.
• Drift: We have permanently discontinued our use of the Drift platform.

Actions Taken
We immediately revoked all Drift-related access and rotated credentials. We've also mitigated exposure for all compromised tokens. Our Data Protection team has completed an initial review and has confirmed that the exposed data is unlikely to pose a significant risk to individuals. We are not legally required to notify regulators at this time, but we will do so if our ongoing investigation changes this assessment.

What Customers Can Do
We recommend that customers who have custom-built applications on the OutSystems platform that integrate with Salesforce and Drift perform their own assessment. Additionally, if you have shared sensitive information in Zendesk tickets, we advise you to review that content and change any credentials immediately.

We are continuing to analyze our Zendesk logs and perform impact reviews on remaining systems. We will provide updates via our Security Trust Center.