嗯,用户让我帮忙总结一下这篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先,我需要快速浏览文章内容。看起来这篇文章是关于React的一个严重漏洞,CVSS评分是10分,最高级别。漏洞名称是CVE-2025-55182,属于React Server Components的远程代码执行漏洞。攻击者可以通过发送特定的payload来利用这个漏洞,在服务器上执行任意代码。 文章提到即使应用程序没有显式使用React Server Functions,只要支持React Server Components,就可能受到影响。受影响的组件包括react-server-dom-parcel、turbopack和webpack的某些版本。此外,Next.js等多个框架也受到了影响。 修复方面,React团队已经发布了补丁版本,用户需要尽快升级到这些版本以缓解风险。Tenable也提供了相关的安全插件来检测这些漏洞。 接下来,我需要将这些关键点浓缩到100字以内。要确保包含漏洞名称、CVSS评分、影响范围、攻击方式以及修复建议。 可能会这样组织:React Server Components发现最高危漏洞(CVSS 10),可致远程代码执行。即使未使用Server Functions,支持RSC的应用也受影响。影响Next.js等框架,需立即升级至修复版本。 检查一下字数是否在限制内,并且是否涵盖了所有重要信息。 </think> React Server Components发现最高危漏洞(CVSS 10),可致远程代码执行。即使未使用Server Functions,支持RSC的应用也受影响。影响Next.js等框架,需立即升级至修复版本。 2025-12-4 00:26:40 Author: www.tenable.com(查看原文) 阅读量:10 收藏
December 3, 2025
4 Min Read
A maximum severity vulnerability (CVSS 10) was discovered in React, one of the most popular JavaScript frameworks. If your app supports React Server Components, you are likely vulnerable out of the box, even if you aren’t using Server Functions explicitly. Patch immediately.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding React2Shell, a critical vulnerability in React Server Components.
FAQ
What is the React Server Component (RSC) vulnerability?
On December 3, 2025, the React Team published a blog post regarding a critical vulnerability affecting React Server Components.
What is the vulnerability that was disclosed to the React Team?
The React Team confirmed the presence of one critical vulnerability:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-55182 | React Server Components Remote Code Execution Vulnerability | 10.0 |
This vulnerability was disclosed to the React Team by Lachlan Davidson on November 29, 2025.
What is CVE-2025-55182?
CVE-2025-55182 is an unsafe deserialization vulnerability in RSC. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted payload to a vulnerable React Server Function endpoint. Successful exploitation could result in remote code execution on the server.
Are we still vulnerable if our app doesn’t use React Server Functions endpoints?
Potentially. According to the React Team, even if React Server Functions are not in-use, the vulnerability is still exploitable if React Server Components are supported.
What is React2Shell?
“React2Shell” is the name given to CVE-2025-55182 by a security researcher, a nod to the Log4Shell vulnerability.
Logo created by Tenable Research Special Operations, inspired by the iconic Log4Shell logo.
Is there a proof-of-concept (PoC) available for this vulnerability?
At the time this blog post was published on December 3, there were no confirmed public PoC exploits for CVE-2025-55182 that work against default configurations.
What React Server Components are vulnerable?
The following components have been confirmed to be vulnerable:
| Affected Component | Affected Versions |
|---|---|
| react-server-dom-parcel | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-turbopack | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-webpack | 19.0, 19.1.0, 19.1.1, 19.2.0 |
However, other frameworks that bundle React are impacted as well including Next.js, React Router, Expo, Redwood SDK, Waku and more.
Did Next.js publish their own advisory and CVE?
Yes, the Next.js team published a security advisory and their own CVE, CVE-2025-66478. However, the National Vulnerability Database (NVD) rejected this CVE as a duplicate of CVE-2025-55182.
What Next.js versions are affected?
Affected versions of Next.js that use the App Router are vulnerable, including:
| Affected Next.js versions |
|---|
| 15.0.4 and below |
| 15.1.8 and below |
| 15.2.5 and below |
| 15.3.5 and below |
| 15.4.7 and below |
| 15.5.6 and below |
| 16.0.6 and below |
| 14.3.0-canary.77 and later releases |
How severe is this vulnerability?
It has the potential to be very severe. In 2024, according to the State of JavaScript, an annual developer survey of the JavaScript ecosystem, React was used by 82% of respondents.
What adds to the elevated severity is the fact that exploitation can occur in apps that support React Server Components, even if the React Server Function endpoints are not in use.
Has CVE-2025-55182 been exploited in the wild?
As of December 3, there have been no confirmed reports of in-the-wild exploitation for CVE-2025-55182. However, there are some unconfirmed reports of exploitation circulating. The RSO team is monitoring for further confirmation and will update this section accordingly.
Are patches or mitigations available for CVE-2025-55182?
Yes, the React Team published the following fixed versions of React Server Components:
| React Server Component | Fixed Versions |
|---|---|
| react-server-dom-parcel | 19.0.1, 19.1.2, 19.2.1 |
| react-server-dom-turbopack | 19.0.1, 19.1.2, 19.2.1 |
| react-server-dom-webpack | 19.0.1, 19.1.2, 19.2.1 |
The following are fixed versions of Next.js:
| Fixed Next.js versions |
|---|
| 15.0.5 |
| 15.1.9 |
| 15.2.6 |
| 15.3.6 |
| 15.4.8 |
| 15.5.7 |
| 16.0.7 |
For additional update instructions for React Router, Expo, Redwood SDK, Waku and others, please visit the React Team’s blog.
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
- React Team: Critical Security Vulnerability in React Server Components
- Next.js: Security Advisory: CVE-2025-66478
- Facebook Security Advisory: CVE-2025-55182
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
- Exposure Management
- Tenable Vulnerability Management
- Vulnerability Management
Cybersecurity news you can use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
如有侵权请联系:admin#unsafe.sh