React/Next.js 曝满分RCE漏洞,无需认证即可远程代码执行

近期,聚铭安全攻防实验室监测发现了一项与React Server Components相关的远程代码执行漏洞, 该漏洞已被披露,编号为 CVE-2025-55182,CVSS 评分为 10.0 。 该漏洞主要波及react-server-dom-webpack的Server Actions功能。由于在处理客户端提交的表单数据时,系统未能实施充分的安全性校验,导致攻击者能够通过精心设计的恶意表单请求 ...
Infosecurity Magazine

React.js Hit by Maximum-Severity 'React2Shell' Vulnerability

A critical RCE flaw in React.js, dubbed React2Shell (CVE-2025-55182), has been disclosed with a maximum CVSS score of 10.0, posing severe risks for server-side implementations ...
TechSpot

Critical vulnerability in React JS framework has a near 100% chance to be exploited

Facepalm: A widely used web technology is affected by a serious security vulnerability that can be exploited with minimal effort to compromise servers. Known as "React2Shell," the flaw may require ...
Opinion
知乎 on MSNOpinion

一年内连爆两个高危 CVE,我们是否可以认为 React/Next.js 押宝 SSR 是 ...

一年两个高危CVE,React/Next.js的问题不是SSR,是前端被逼着干后端的活 CVE年年有,今年特别多,这不稀奇。什么时候开始一个”前端框架”的漏洞,能造成这么大的攻击面了? 2015年的React就是个View层的库,Virtual DOM diff一下完事儿。现在你点开Next.js的文档看看,Server Components、Server ...

Critical React Vulnerability Puts Web Servers At Immediate Risk

A newly discovered security flaw in the React ecosystem — one of the most widely used technologies on the web — is prompting ...

Cloudflare says its WAF is already protecting users from new React security flaws: Here ...

Cloudflare activates automatic WAF protection against a major React Server Components flaw as developers race to patch vulnerable systems worldwide.