React/Next.js 曝满分RCE漏洞,无需认证即可远程代码执行

近期,聚铭安全攻防实验室监测发现了一项与React Server Components相关的远程代码执行漏洞, 该漏洞已被披露,编号为 CVE-2025-55182,CVSS 评分为 10.0 。

Critical React, Next.js flaw lets hackers execute code on servers

A maximum severity vulnerability, dubbed 'React2Shell', in the React Server Components (RSC) 'Flight' protocol allows remote code execution without authentication in React and Next.js applications.

React警告:高危漏洞曝光,开发者需立即升级!

在一个瞬息万变的技术世界中,安全性无疑是开发者最为关心的话题之一。最近,Java界的明星框架React就因一个关键的安全漏洞而引发了广泛关注。12月4日,React官方发布了紧急公告,警告用户关于React Server Components中的一个高危漏洞:未经身份验证的远程代码执行(RCE)漏洞。
The Hacker News

Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

Critical RSC flaws in React and Next.js enable unauthenticated remote code execution; users should update to patched versions ...
InfoWorld

Developers urged to immediately upgrade React, Next.js

Critical vulnerability in React library should be treated by IT as they did Log4j - as an emergency, warns one expert.
Cybernews

“Worst case scenario” vulnerability found in React, Next.js

A critical vulnerability has been discovered in React Server Components and frameworks like Next.js, allowing an ...