React 服务器组件中的严重安全漏洞

React 服务器组件中的严重安全漏洞
Critical Security Vulnerability in React Server Components

原始链接: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

## React 安全漏洞 - 紧急更新 React Server Components 中发现了一个严重的安全漏洞（CVE-2025-55182，CVSS 10.0），允许**未经身份验证的远程代码执行**。此漏洞影响 React 的 19.0、19.1.0、19.1.1 和 19.2.0 版本。 **需要立即采取行动：** 升级到 React 19.0.1、19.1.2 或 19.2.1 版本。此漏洞影响使用 React Server Components 的应用程序，即使您没有直接实现 Server Function 端点。**受影响的框架和打包工具包括：** Next.js、React Router、Waku、Parcel、Vite 和 Redwood SDK。每个框架的具体升级说明详见完整公告。虽然一些托管服务提供商已实施了临时缓解措施，但**依赖这些措施是不够的** – 升级至关重要。该漏洞源于 React 解码发送到 Server Function 端点的负载方式中的缺陷，允许攻击者通过精心构造的 HTTP 请求在服务器上执行代码。该问题由 Lachlan Davidson 于 2025 年 11 月 29 日报告，并于 2025 年 12 月 3 日发布了修复程序。如果您的应用程序不使用服务器或支持 React Server Components 的框架，则不受影响。

React 服务器组件 (RSC) 发现了一个严重的安全漏洞，可能允许未经身份验证的攻击者在服务器上执行远程代码。该问题源于恶意 HTTP 请求在反序列化期间针对服务器函数端点。多个流行的框架受到影响，包括 Next.js、react-router 以及其他使用 RSC 的框架。该漏洞的 CVSS 分数为 10，表明其严重程度极高。幸运的是，Next.js 已经发布了 15.0.5、15.1.9、15.2.6、15.3.6、15.4.8、15.5.7 和 16.0.7 版本中的修复程序。强烈建议受影响框架的用户立即更新。此次发现凸显了 React 新特性中持续存在的安全问题，促使一些开发者考虑使用 HTMX 等替代方案。更多讨论和详细信息可以在 Hacker News 和相关帖子中找到。

原文

December 3, 2025 by The React Team

There is an unauthenticated remote code execution vulnerability in React Server Components.

We recommend upgrading immediately.

On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

Immediate Action Required

A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

Affected frameworks and bundlers

Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

We will update this post with upgrade instructions on how to upgrade as they become available.

Hosting Provider Mitigations

We have worked with a number of hosting providers to apply temporary mitigations.

You should not depend on these to secure your app, and still update immediately.

Vulnerability overview

React Server Functions allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client.

An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.

Update Instructions

Next.js

All users should upgrade to the latest patched version in their release line:

npm install next@15.0.5   
npm install next@15.1.9   
npm install next@15.2.6   
npm install next@15.3.6   
npm install next@15.4.8   
npm install next@15.5.7   
npm install next@16.0.7

If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:

See the Next.js changelog for more info.

React Router

If you are using React Router’s unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:

npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest

Expo

Upgrade to the latest react-server-dom-webpack:

npm install react@latest react-dom@latest react-server-dom-webpack@latest

Redwood SDK

Ensure you are on rwsdk>=1.0.0-alpha.0

For the latest beta version:

Upgrade to the latest react-server-dom-webpack:

npm install react@latest react-dom@latest react-server-dom-webpack@latest

See Redwood docs for more migration instructions.

Waku

Upgrade to the latest react-server-dom-webpack:

npm install react@latest react-dom@latest react-server-dom-webpack@latest

`@vitejs/plugin-rsc`

Upgrade to the latest RSC plugin:

npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest

`react-server-dom-parcel`

Update to the latest version:

npm install react@latest react-dom@latest react-server-dom-parcel@latest

`react-server-dom-turbopack`

Update to the latest version:

npm install react@latest react-dom@latest react-server-dom-turbopack@latest

`react-server-dom-webpack`

Update to the latest version:

npm install react@latest react-dom@latest react-server-dom-webpack@latest

Timeline

November 29th: Lachlan Davidson reported the security vulnerability via Meta Bug Bounty.
November 30th: Meta security researchers confirmed and began working with the React team on a fix.
December 1st: A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
December 3rd: The fix was published to npm and the publicly disclosed as CVE-2025-55182.

Attribution

Thank you to Lachlan Davidson for discovering, reporting, and working to help fix this vulnerability.