Trust Center

Status: No Impact Identified

OutSystems conducted a comprehensive assessment of the recently disclosed axios supply chain vulnerability. No impact to our platform or customer environments was identified.

Key Findings:

• No affected packages in production environments
• No vulnerable versions identified in source code or recent development activity
• No indicators of compromise on developer endpoints
• No malicious network activity observed

Ongoing Monitoring:
We have implemented targeted detection measures and will continue monitoring for any emerging indicators related to this vulnerability.

Conclusion:
No remediation actions are required at this time. There is no evidence of impact to customer data or services.

Summary
OutSystems Security Team has completed the investigation of the Critical RCE Vulnerability in React and Next.js threat, CVE-2025-55182 and CVE-2025-66478. This vulnerability is related to Remote Code Execution (RCE) in React Server Components. OutSystems' Teams have validated their React code and assured that no react-server-xxx are used. The continuous monitoring of the OutSystems environment also confirmed that there is no vulnerability for the CVE-2025-55182.
At time of writing, CVE-2025-66478 (https://nvd.nist.gov/vuln/detail/CVE-2025-66478) is now marked as duplicate of CVE-55182.

Scope of Validation
Our assessment involved all react components used in both O11 and ODC platforms.

Current Status
No evidence of active exploitation detected
No confirmed vulnerable components identified within monitored scope
Continuous monitoring remains in effect as detection logic and intelligence evolve

Ongoing Monitoring
OutSystems Security continues and actively monitors our environment to make sure possible vulnerable code is not introduced and deployed to OutSystems environment.

Customer Action Required
No customer action is required at this time.

Additional Information
This advisory applies to both O11 and ODC within the OutSystems Platform. It does not extend to customer-managed extensions, third-party integrations, or customer-controlled infrastructure. If additional information is customers may contact OutSystems Support through standard channels.
For additional questions, customers may contact OutSystems Support through standard channels.

Summary
OutSystems Security has completed validation activities related to the publicly reported “Shai-Hulud 2.0” vulnerability campaign. Based on continuous monitoring and analysis across our monitored environments, OutSystems has not observed any indicators of compromise or known vulnerable components associated with this campaign as of 2025-12-02 15:44 UTC.

Scope of Validation
Our assessment and monitoring include the following security control surfaces:

• Source code repositories
• Container images and registries
• Deployed cloud workloads and exposed attack paths within our managed cloud environments

Current Status

• No evidence of active exploitation detected
• No confirmed vulnerable components identified within monitored scope
• Continuous monitoring remains in effect as detection logic and intelligence evolve

Ongoing Monitoring
OutSystems Security continues to actively monitor for updated indicators of compromise, exploit techniques, and upstream threat intelligence related to this campaign using both internal detection capabilities and third-party intelligence sources. If our risk posture changes, customers will be notified promptly through this portal.

Customer Action Required
No customer action is required at this time.

Additional Information
This advisory applies to all components within the OutSystems Platform. It does not extend to customer-managed extensions, third-party integrations, or customer-controlled infrastructure.

For additional questions, customers may contact OutSystems Support through standard channels.

Security Advisory: CVE-2025-55315 and OutSystems Developer Cloud (ODC)
Date: October 31, 2025
Severity: Medium (context-dependent)

Summary
A recent vulnerability (CVE-2025-55315) has been identified affecting certain versions of .NET, allowing potential HTTP request smuggling under specific conditions. We have evaluated the impact of this vulnerability on OutSystems Developer Cloud (ODC).

Platform Impact
The ODC Platform itself is not affected by CVE-2025-55315.

Customer Application Impact
ODC applications that include Custom Code or custom integrations built on top of .NET may be affected if they are using vulnerable .NET runtime versions. The level of exposure depends on the specific application implementation and hosting configuration.

Recommended Customer Actions
Confirm your application is using a supported and updated version of .NET.
If your application uses Custom Code actions or external libraries, ensure they are recompiled and deployed using the latest .NET security servicing release from Microsoft.
Follow Microsoft’s official guidance on the vulnerability and .NET patch availability:
https://msrc.microsoft.com/update-guide

OutSystems Guidance
OutSystems is monitoring vendor updates from Microsoft.
If further action is required on the platform side, we will communicate updates here.

Next Update
This advisory will be updated if new information becomes available or customer action requirements change.

We are aware of the ongoing Shai-Hulud self-propagating supply chain attack impacting compromised NPM packages, as reported in the security community.

Following a thorough review of our product lifecycle and software supply chain, we can confirm that the OutSystems Platform is not impacted. The impacted NPM packages and versions are not part of the OutSystems Platform by default. However, customers may have the ability to introduce custom code or integrations that leverage these NPM packages. We recommend that customers review their own environments and validate whether any of the compromised NPM packages are in use.

Our Security and Engineering teams will continue to monitor developments closely and provide updates on this page as needed.