¡¾Îó²îͨ¸æ¡¿React Server Components Ô¶³Ì´úÂëÖ´ÐÐÎó²î(CVE-2025-55182)

Ðû²¼Ê±¼ä 2025-12-04

Ò»¡¢Îó²î¸ÅÊö


Îó²îÃû³Æ

React Server Components Ô¶³Ì´úÂëÖ´ÐÐÎó²î

CVE   ID

CVE-2025-55182

Îó²îÀàÐÍ

RCE

·¢Ã÷ʱ¼ä

2025-12-4

Îó²îÆÀ·Ö

10

Îó²îÆ·¼¶

ÑÏÖØ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

ÎÞ

ʹÓÃÄѶÈ

µÍ

Óû§½»»¥

²»ÐèÒª

PoC/EXP

ÒѹûÕæ

ÔÚҰʹÓÃ

δ·¢Ã÷


ReactÊÇÒ»¸öÓÃÓÚ¹¹½¨Óû§½çÃæµÄJavaScript¿â£¬ÓÉFacebook¿ª·¢ºÍά»¤¡£Ëü»ùÓÚ×é¼þ»¯µÄ¿ª·¢Ä£Ê½£¬Í¨¹ýÉùÃ÷ʽ±à³Ì¼ò»¯Á˽çÃæµÄ¹¹½¨ºÍ¸üС£Reactͨ¹ýÐéÄâDOMÌáÉýäÖȾÐÔÄÜ£¬È·±£×îС»¯¶ÔÕæʵDOMµÄ²Ù×÷£¬ÓÅ»¯ÁËÓ¦ÓõÄÏìÓ¦ËÙÂÊ¡£ËüÖ§³Öµ¥ÏòÊý¾ÝÁ÷£¬ÌáÉýÁËÓ¦ÓõĿÉÕ¹ÍûÐԺͿÉά»¤ÐÔ¡£React¿ÉÓëÆäËû¿â»ò¿ò¼ÜÒ»ÆðʹÓ㬳£¼ûµÄ×éºÏ°üÀ¨React RouterÓÃÓÚ·ÓÉÖÎÀíºÍReduxÓÃÓÚ״̬ÖÎÀí¡£ReactÊÊÓÃÓÚ¹¹½¨ÏÖ´úWebºÍÒƶ¯¶ËÓ¦Óã¬ÆÕ±éÓ¦ÓÃÓÚÇ°¶Ë¿ª·¢ÁìÓò¡£


2025Äê12ÔÂ4ÈÕ£¬×ðÁú¿­Ê±¼¯ÍÅVSRC¼à²âµ½Ò»¸ö±£´æÓÚReact Server ComponentsÖеÄÔ¶³Ì´úÂëÖ´ÐÐÎó²î¡£¸ÃÎó²îÔ´ÓÚReactÔÚ´¦Öóͷ£¿Í»§¶Ë·¢Ë͵ÄÇëÇóʱ£¬·´ÐòÁл¯»úÖƱ£´æȱÏÝ¡£React½«¿Í»§¶ËÇëÇóתΪHTTPÇëÇó²¢×ª·¢ÖÁ·þÎñÆ÷£¬Ö®ºóÔÚ·þÎñÆ÷¶Ë½«HTTPÇëÇó·´ÐòÁл¯Îªº¯ÊýŲÓ᣹¥»÷Õß¿Éͨ¹ý½á¹¹¶ñÒâHTTPÇëÇó£¬Ê¹Óø÷´ÐòÁл¯È±ÏÝ£¬ÔÚ·þÎñÆ÷¶ËÖ´ÐÐí§Òâ´úÂ룬´Ó¶ø´¥·¢Ô¶³Ì´úÂëÖ´ÐÐΣº¦¡£ÊÜÓ°ÏìµÄ×é¼þ°üÀ¨react-server-dom-webpack¡¢react-server-dom-parcel¡¢react-server-dom-turbopackµÈ¡£¸ÃÎó²îÎÞÐèÈÏÖ¤¼´¿É±»¹¥»÷Õß´¥·¢£¬¿ÉÄܶÔϵͳÇå¾²×é³ÉÑÏÖØÍþв¡£


¶þ¡¢Ó°Ïì¹æÄ£


react-server-dom-webpack¡¢react-server-dom-parcel¡¢react-server-dom-turbopack = 19.0
react-server-dom-webpack¡¢react-server-dom-parcel¡¢react-server-dom-turbopack = 19.1.0
react-server-dom-webpack¡¢react-server-dom-parcel¡¢react-server-dom-turbopack = 19.1.1
react-server-dom-webpack¡¢react-server-dom-parcel¡¢react-server-dom-turbopack = 19.2.0


ÆäËûÊÜÓ°Ïì¿ò¼ÜºÍ´ò°ü³ÌÐò

Next.js <= 15.0.0
React Router ²»ÎÈ¹ÌµÄ RSC API °æ±¾
Expo ËùÓаüÀ¨ react-server-dom-webpack°æ±¾
Redwood SDK£ºrwsdk < 1.0.0-alpha.0
Waku ËùÓаüÀ¨ react-server-dom-webpack°æ±¾
@vitejs/plugin-rsc ËùÓÐʹÓò»Çå¾²°æ±¾µÄ²å¼þ


Èý¡¢Çå¾²²½·¥


3.1 Éý¼¶°æ±¾


¹Ù·½ÒÑÐû²¼ÐÞ¸´²¹¶¡£¬ÒÔÐÞ¸´¸ÃÎó²î¡£
React Server >= 19.0.1
React Server >= 19.1.2
React Server >= 19.2.1
Next.js
Éý¼¶µ½ÒÔÏÂÐÞ¸´°æ±¾£º
npm install next@15.0.5 £¨ÊÊÓÃÓÚ 15.0.x£©
npm install next@15.1.9 £¨ÊÊÓÃÓÚ 15.1.x£©
npm install next@15.2.6 £¨ÊÊÓÃÓÚ 15.2.x£©
npm install next@15.3.6 £¨ÊÊÓÃÓÚ 15.3.x£©
npm install next@15.4.8 £¨ÊÊÓÃÓÚ 15.4.x£©
npm install next@15.5.7 £¨ÊÊÓÃÓÚ 15.5.x£©
npm install next@16.0.7 £¨ÊÊÓÃÓÚ 16.0.x£©
ÈôÊÇʹÓà Next.js 14.3.0-canary.77 »ò¸ü¸ß°æ±¾£¬Çë½µ¼¶µ½×îеÄÎÈ¹Ì 14.x °æ±¾£º
npm install next@14
React Router
ÈôÊÇʹÓà React Router µÄ²»ÎÈ¹Ì RSC API£¬Éý¼¶ÒÔÏÂÒÀÀµ£º
npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest
Expo
Éý¼¶ÖÁ×îа汾µÄ react-server-dom-webpack£º
npm install react@latest react-dom@latest react-server-dom-webpack@latest
Redwood SDK
È·±£°æ±¾Îª rwsdk >= 1.0.0-alpha.0
×îРbeta °æ±¾£º
npm install rwsdk@latest
Éý¼¶ÖÁ×îа汾µÄ react-server-dom-webpack£º
npm install react@latest react-dom@latest react-server-dom-webpack@latest
Waku
Éý¼¶ÖÁ×îа汾µÄ react-server-dom-webpack£º
npm install react@latest react-dom@latest react-server-dom-webpack@latest
@vitejs/plugin-rsc
Éý¼¶ÖÁ×îа汾µÄ RSC ²å¼þ£º
npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
react-server-dom-parcel
Éý¼¶ÖÁ×îа汾£º
npm install react@latest react-dom@latest react-server-dom-parcel@latest
react-server-dom-turbopack
Éý¼¶ÖÁ×îа汾£º
npm install react@latest react-dom@latest react-server-dom-turbopack@latest
react-server-dom-webpack
Éý¼¶ÖÁ×îа汾£º
npm install react@latest react-dom@latest react-server-dom-webpack@latest


3.2 ÔÝʱ²½·¥


ÔÝÎÞ¡£


3.3 ͨÓý¨Òé


? °´ÆÚ¸üÐÂϵͳ²¹¶¡£¬ïÔ̭ϵͳÎó²î£¬ÌáÉý·þÎñÆ÷µÄÇå¾²ÐÔ¡£
ÔöǿϵͳºÍÍøÂçµÄ»á¼û¿ØÖÆ£¬Ð޸ķÀ»ðǽսÂÔ£¬¹Ø±Õ·ÇÐëÒªµÄÓ¦Óö˿ڻò·þÎñ£¬ïÔÌ­½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Ì»Â¶µ½¹«Íø£¬ïÔÌ­¹¥»÷Ãæ¡£
ʹÓÃÆóÒµ¼¶Çå¾²²úÆ·£¬ÌáÉýÆóÒµµÄÍøÂçÇå¾²ÐÔÄÜ¡£
ÔöǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬ÆôÓöàÒòËØÈÏÖ¤»úÖƺÍ×îСȨÏÞÔ­Ôò£¬Óû§ºÍÈí¼þȨÏÞÓ¦¼á³ÖÔÚ×îµÍÏ޶ȡ£

ÆôÓÃÇ¿ÃÜÂëÕ½ÂÔ²¢ÉèÖÃΪ°´ÆÚÐ޸ġ£


3.4 ²Î¿¼Á´½Ó


https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components/
https://www.cve.org/CVERecord?id=CVE-2025-55182