原文
原始链接: https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
某些 React 包(版本 19.0.0、19.1.0、19.1.1 和 19.2.0)以及使用这些包的框架(包括使用 App Router 的 Next.js 15.x 和 16.x)受到一个漏洞的影响。该问题在上游被追踪为 CVE-2025-55182。 修复版本: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 该漏洞还影响了从 14.3.0-canary.77 开始的实验性 Canary 版本。任何 14.3 Canary 构建的用户应降级到 14.x 稳定版本或 14.3.0-canary.76。所有使用稳定版 15.x 或 16.x Next.js 版本的用户应立即升级到已修复的稳定版本。 受影响的 React 包是: react-server-dom-parcel react-server-dom-turbopack react-server-dom-webpack
A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.
Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.
All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.
1 The affected React packages are: