React/Next.js 曝满分RCE漏洞,无需认证即可远程代码执行

近期,聚铭安全攻防实验室监测发现了一项与React Server Components相关的远程代码执行漏洞, 该漏洞已被披露,编号为 CVE-2025-55182,CVSS 评分为 10.0 。 该漏洞主要波及react-server-dom-webpack的Server Actions功能。由于在处理客户端提交的表单数据时,系统未能实施充分的安全性校验,导致攻击者能够通过精心设计的恶意表单请求 ...
腾讯网

Next.js 发布扫描工具:检测并修复受 React2Shell 漏洞(CVE-2025-66478 ...

Next.js 发布了一款名为 fix-react2shell-next 的专用命令行工具,帮助开发者快速检测并修复高危"React2Shell"漏洞(CVE-2025-66478)。这款新型扫描器提供单行命令解决方案,可识别存在漏洞的 ...

React 最高危漏洞曝光,开发者需紧急升级!

在科技的快速发展中,安全问题始终是开发者们无法忽视的隐患。今天凌晨,React团队发布了一则紧急通知,警告用户一个最高危漏洞(CVE-2025-55182)的出现,CVSS评分高达10.0分,标志着这一漏洞的危险程度相当于黑客能轻易在服务器上执行任意代码,简直是开发者的噩梦!
腾讯网

Dify v1.11.1修复react重要漏洞,官方建议立即升级

Dify 将前端核心框架 react 和 react-dom 升级到了 19.2.3,并同步更新了 Next.js 的安全补丁。这次修复的是核心依赖库中已知的 CVE ...

Critical React2Shell Vulnerability (CVE-2025-55182) Analysis: Surge in Attacks Targeting ...

React2Shell (CVE-2025-55182) is a critical vulnerability affecting the most widely used React-based services across the web ...
CoinDesk

New React bug that can drain all your tokens is impacting 'thousands of' websites

Attackers are using the vulnerability to deploy malware and crypto-mining software, compromising server resources and ...
InfoWorld

Angular, React, Vue: JavaScript frameworks compared

When considering React, Angular, and Vue, the first thing to note is that they carry the same notion at their cores: data binding. The idea here is that the framework assumes the work of tying the ...
GovInfoSecurity

Exploit Attempts Surge for React2Shell

Hacker interest is high in a days-old vulnerability in widely used web application framework React, with dozens of organizations already falling victim to it, ...
Opinion
知乎 on MSNOpinion

一年内连爆两个高危 CVE,我们是否可以认为 React/Next.js 押宝 SSR 是 ...

一年两个高危CVE,React/Next.js的问题不是SSR,是前端被逼着干后端的活 CVE年年有,今年特别多,这不稀奇。什么时候开始一个”前端框架”的漏洞,能造成这么大的攻击面了? 2015年的React就是个View层的库,Virtual DOM diff一下完事儿。现在你点开Next.js的文档看看,Server Components、Server ...