好的,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,找出关键信息。 文章主要讲的是美国CISA机构将Meta公司的React Server Components中的一个漏洞加入到已知被利用的漏洞目录中。这个漏洞的CVE编号是CVE-2025-55182,CVSS评分是10.0,属于严重级别。漏洞影响的是React Server Components的某些版本,具体是19.0.0到19.2.0这几个版本,以及相关的几个包。 漏洞类型是预身份验证远程代码执行漏洞,这意味着攻击者可以在无需认证的情况下执行恶意代码。问题出在代码处理HTTP请求时没有进行适当的安全检查,导致反序列化攻击的可能性。 研究人员Lachlan Davidson在11月29日报告了这个漏洞,并指出即使应用程序没有使用Server Function端点,也可能受到影响。修复版本已经发布,分别是19.0.1、19.1.2和19.2.1。 亚马逊在漏洞披露后几小时内就检测到中国相关团体利用这个漏洞进行攻击。虽然AWS服务没有受到影响,但使用这些版本的客户需要立即采取行动修复。 根据BOD 22-01指令,联邦 civilian executive branch机构必须在指定日期前修复这些漏洞,这里指定的日期是2025年12月26日。专家还建议私营组织检查目录并修复基础设施中的漏洞。 总结时需要包括CISA添加了哪个漏洞、该漏洞的影响范围、严重性评分、修复版本以及修复截止日期等关键点。同时要控制在100字以内,所以需要简洁明了地表达这些信息。 现在把这些信息整合起来:CISA将Meta React Server Components的一个严重漏洞(CVE-2025-55182)加入目录中。该漏洞影响多个版本,并允许远程代码执行。修复版本已发布,并要求联邦机构在指定日期前完成修复。 这样应该能准确且简洁地总结文章内容。 </think> 美国网络安全和基础设施安全局 (CISA) 将 Meta React Server Components 中的一个严重漏洞 (CVE-2025-55182) 添加到其已知被利用的漏洞目录中。该漏洞允许预身份验证远程代码执行,并影响多个版本的 React Server Components 包。修复版本已发布,并要求联邦机构在 2025 年 12 月 26 日前完成修复以应对潜在攻击风险。 2025-12-8 09:1:13 Author: securityaffairs.com(查看原文) 阅读量:3 收藏
U.S. CISA adds a Meta React Server Components flaw to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini
December 08, 2025
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Meta React Server Components flaw to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a a Meta React Server Components flaw, tracked as CVE-2025-55182 (CVSS Score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability is a pre-authentication remote code execution vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw comes from the code deserializing data from HTTP requests to Server Function endpoints without proper safety checks.
“A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.” reads the advisory. “The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.”
The researcher Lachlan Davidson reported the security vulnerability in React on November 29th. He explained that unsafe payload decoding in Server Function endpoints allows unauthenticated code execution. Apps using React Server Components may be exposed even without Server Function endpoints.
Versions 19.0.1, 19.1.2, and 19.2.1 addressed the flaw.
Amazon detected China-linked groups exploiting CVE-2025-55182 (React2Shell) within hours of its December 3 disclosure. AWS services aren’t impacted, but customers running affected versions should act immediately.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by December 26, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
如有侵权请联系:admin#unsafe.sh