React Server ComponentsÔ¶³Ì´úÂëÖ´ÐЩ¶´À´Ï®£¬mansion88Ã÷ÉýÌṩ½â¾ö·½°¸

·¢²¼Ê±¼ä 2025-12-04

½ñÈÕ£¬mansion88Ã÷Éý¼à²âµ½Ò»¸ö´æÔÚÓÚReact Server ComponentsÖеÄÔ¶³Ì´úÂëÖ´ÐЩ¶´£¨CVE-2025-55182£©,¸Ã©¶´ÔÚ´¦Àí¿Í»§¶Ë·¢Íù·þÎñ¶ËµÄ Flight ЭÒéÐòÁл¯¸ºÔØ£¨Payload£©Ê±£¬È±·¦¶Ô·´ÐòÁл¯¶ÔÏó½á¹¹µÄ°²È«Ð£Ñé»úÖÆ£¬¹¥»÷Õß¿Éͨ¹ý¹¹Ôì¶ñÒâPayloadÇëÇ󣬵÷ÓÃNode.jsÄÚÖÃÄ £¿é£¬´Ó¶øÔÚ·þÎñÆ÷É϶ñÒâÖ´ÐдúÂëºÍÃüÁµ¼Ö·þÎñÆ÷±»ÍêÈ«¿ØÖÆ¡£


©¶´ÃèÊö


CVE-2025-55182 ÊÇÒ»¸ö´æÔÚÓÚ React Server Components£¨RSC£©ÊµÏÖÖеĸßΣԶ³Ì´úÂëÖ´ÐУ¨Remote Code Execution, RCE£©Â©¶´£¬CVSS v3.1 ÆÀ·ÖΪ 10.0£¨Critical£©¡£

¸Ã©¶´µÄ¸ù±¾Ô­ÒòÔÚÓÚReact¹Ù·½ÌṩµÄ·þÎñ¶ËÔËÐÐʱ°ü£¨Èç react-server¡¢react-server-dom-webpack»òreact-server-dom-parsing£©ÔÚ´¦Àí¿Í»§¶Ë·¢Íù·þÎñ¶ËµÄFlight Ð­ÒéÐòÁл¯¸ºÔØ£¨Payload£©Ê±£¬È±·¦¶Ô·´ÐòÁл¯¶ÔÏó½á¹¹µÄ°²È«Ð£Ñé»úÖÆ¡£

´Ë©¶´¾ßÓÐÒÔϹؼüÌØÕ÷£º

? ÎÞÐèÉí·ÝÈÏÖ¤£º¹¥»÷ÕßÖ»ÐèÄÜ·ÃÎÊRSC½Ó¿Ú£¨Í¨³£Îª¹«¿ªµÄ Web ·ÓÉ£©¼´¿É´¥·¢£»
ÀûÓÃÃż÷µÍ£º½öÐèÒ»´ÎHTTP POSTÇëÇó£»
Ó°Ï췶Χ¹ã£ºËùÓÐʹÓùٷ½RSCʵÏֵĿò¼Ü£¨Èç Next.js¡¢Waku µÈ£©¾ùÊÜÓ°Ï죻
ÈÆ¹ýɳÏ䣺ִÐÐÉÏÏÂÎÄΪ·þÎñ¶ËNode.js ½ø³Ì£¬¿É¶ÁÈ¡»·¾³±äÁ¿¡¢Îļþϵͳ¡¢Êý¾Ý¿âÁ¬½ÓµÈÃô¸Ð×ÊÔ´¡£


ͼƬ1.png


©¶´¸´ÏÖ½ØÍ¼


ͼƬ2.png

½â¾ö·½°¸


Ò»¡¢¹Ù·½ÐÞ¸´·½°¸


# ËùÓÐÓû§Ó¦Éý¼¶µ½Æä·¢²¼ÏµÁÐÖÐ×îеIJ¹¶¡°æ±¾£º

npm install next@15.0.5   // for 15.0.x

npm install next@15.1.9   // for 15.1.x

npm install next@15.2.6   // for 15.2.x

npm install next@15.3.6   // for 15.3.x

npm install next@15.4.8   // for 15.4.x

npm install next@15.5.7   // for 15.5.x

npm install next@16.0.7   // for 16.0.x

# Èç¹ûÄãʹÓõÄÊÇNext.js 14.3.0-canary.77 »ò¸ü¸ß°æ±¾µÄ canary °æ±¾£¬Çë½µ¼¶µ½×îеÄÎȶ¨°æ 14.x£º


npm install next@14

# ¸ü¶àÐÅÏ¢Çë²Î¼ûNext.js¸üÐÂÈÕÖ¾¡£


¶þ¡¢mansion88Ã÷Éý½â¾ö·½°¸


1¡¢mansion88Ã÷Éý©ɨ²úÆ··½°¸


Ì쾵©¶´É¨ÃèϵͳÒÑÓÚ2025-12-04ÉÏÏßCVE-2025-55182רÏî¼ì²âÄ £¿é£º


×Ô¶¯Ê¶±ð RSC Í¨ÐÅÌØÕ÷

»ùÓÚÐÐÎªÖ¸ÎÆÅÐ¶Ï React/Next.js °æ±¾

·ÇÆÆ»µÐÔÑéÖ¤£¬ÎÞÒµÎñÓ°Ïì

Ö§³Ö API Óë Web Ó¦ÓÃ×ʲúÅúÁ¿É¨Ãè


ɨÃè²ßÂÔ½¨Ò飺©¶´¿âÉý¼¶ÖÁ×îа汾wvs_100ºóÏ·¢É¨ÃèÈÎÎñ¡£


ͼƬ3.png


2¡¢mansion88Ã÷Éý¼ì²âÀà²úÆ··½°¸


¼ì²â²úÆ·ÍŶÓÒѸ´Ïָé¶´£¬¸÷¼ì²âϵͳÒÑÓÚ2025-12-04ÉÏÏßCVE-2025-55182רÏî¼ì²âʼþ¿â£º


ÌìãÙÈëÇÖ¼ì²âÓë¹ÜÀíϵͳ£¨IDS£©¡¢ÌìãÙ³¬Èںϼì²â̽Õ루CSP£©¡¢ÌìãÙÍþв·ÖÎöÒ»Ìå»ú£¨TAR£©¡¢ÌìÇåWEB°²È«Ó¦ÓÃÍø¹Ø£¨WAF£©¡¢ÌìÇåÈëÇÖ·ÀÓùϵͳ£¨IPS£©Éý¼¶µ½×îа汾£¬¼´¿ÉÓÐЧ¼ì²â»ò·À»¤¸Ã©¶´Ôì³ÉµÄ¹¥»÷·çÏÕ¡£


ʼþ¿âÏÂÔØµØÖ·£º

https://venustech.download.venuscloud.cn/


3¡¢mansion88Ã÷Éý×ʲúÓë´àÈõÐÔ¹ÜÀíÆ½Ì¨²úÆ··½°¸


mansion88Ã÷Éý×ʲúÓë´àÈõÐÔ¹ÜÀíÆ½Ì¨ÊµÊ±²É¼¯²¢¸üÐÂÇ鱨ÐÅÏ¢£¬React Server Components Ô¶³Ì´úÂëÖ´ÐЩ¶´£¨CVE-2025-55182£©, Ç뼰ʱ¶ÔÈë¿â×ʲú½øÐЩ¶´¹ÜÀí¡£ 


ͼƬ4.png


4¡¢mansion88Ã÷Éý°²È«¹ÜÀíºÍÌ¬ÊÆ¸Ð֪ƽ̨²úÆ··½°¸


£¨1£©»ùÓÚ¹¥»÷ÐÐΪµÄ¹ØÁª·ÖÎö²ßÂÔ


Óû§¿ÉÒÔͨ¹ýmansion88Ã÷ÉýÌ©ºÏ°²È«¹ÜÀíºÍÌ¬ÊÆ¸Ð֪ƽ̨£¬½øÐйØÁª·ÖÎö²ßÂÔÅäÖ㬽áºÏʵ¼Ê»·¾³Öвɼ¯µÄϵͳÈÕÖ¾ºÍ°²È«É豸¸æ¾¯ÐÅÏ¢½øÐгÖÐø¼à¿Ø£¬´Ó¶ø·¢ÏÖ¡°React Server Components Ô¶³Ì´úÂëÖ´ÐЩ¶´(CVE-2025-55182)¡±µÄ©¶´ÀûÓù¥»÷ÐÐΪ¡£


ÔÚÌ©ºÏµÄƽ̨ÖУ¬Í¨¹ý´àÈõÐÔ·¢ÏÖ¹¦ÄÜÕë¶Ô¡°React Server Components Ô¶³Ì´úÂëÖ´ÐЩ¶´(CVE-2025-55182)¡±Â©¶´É¨ÃèÈÎÎñ£¬ÅŲé¹ÜÀíÍøÂçÖÐÊÜ´Ë©¶´Ó°ÏìµÄÖØÒª×ʲú¡£


ͼƬ5.png


ƽ̨¡°¹ØÁª·ÖÎö¡±Ä £¿éÖУ¬Ìí¼Ó¡°L2_React Server Components Ô¶³Ì´úÂëÖ´ÐЩ¶´(CVE-2025-55182)¡±£¬Í¨¹ýmansion88Ã÷Éý¼ì²âÉ豸¡¢Ä¿±êÖ÷»úϵͳµÈÉ豸µÄ¸æ¾¯ÈÕÖ¾£¬·¢ÏÖÍⲿ¹¥»÷ÐÐΪ¡£


ͼƬ6.png


ͨ¹ý·ÖÎö¹æÔò×Ô¶¯½«"L2_React Server Components Ô¶³Ì´úÂëÖ´ÐЩ¶´(CVE-2025-55182)"©¶´ÀûÓõĿÉÒÉÐÐΪԴµØÖ·Ìí¼Óµ½¹Û²ìÁÐ±í¡°¸ß·çÏÕÁ¬½Ó¡±ÖУ¬×÷ΪÄÚ²¿Ç鱨Êý¾ÝʹÓá£


Ìí¼Ó¡°L3_React Server Components Ô¶³Ì´úÂëÖ´ÐЩ¶´(CVE-2025-55182)¡±£¬Ìõ¼þÈÕÖ¾Ãû³ÆµÈÓÚ»ò°üº¬¡°L2_React Server Components Ô¶³Ì´úÂëÖ´ÐЩ¶´(CVE-2025-55182)¡±£¬¹¥»÷½á¹ûµÈÓÚ»òÊôÓÚ¡°¹¥»÷³É¹¦¡±£¬Ä¿µÄµØÖ·ÒýÓÃ×ʲú©¶´»òÔ´µØÖ·Æ¥ÅäÍþвÇ鱨£¬´Ó¶øÌáÉý¹ØÁª¹æÔòµÄÖÃÐŶÈ¡£


ͼƬ7.png


£¨2£©ATT&CK¹¥»÷Á´Ìõ·ÖÎöÓëSOAR´¦Öý¨Òé


¸ù¾Ý¶ÔReact Server Components Ô¶³Ì´úÂëÖ´ÐЩ¶´(CVE-2025-55182)µÄ¹¥»÷ÀûÓùý³Ì½øÐзÖÎö£¬¹¥»÷Á´Éæ¼°¶à¸öATT&CKÕ½ÊõºÍ¼¼Êõ½×¶Î£¬¸²¸ÇµÄTTP°üÀ¨£º


TA0001-³õʼ·ÃÎÊ£º T1190ÀûÓÃÃæÏò¹«ÖÚµÄÓ¦ÓóÌÐò

TA0004-ȨÏÞÌáÉý: T1055½ø³Ì×¢Èë

TA0009-Êý¾ÝÊÕ¼¯: T1005´Ó±¾µØÏµÍ³ÊÕ¼¯Êý¾Ý


ͼƬ8.png


ͨ¹ýÌ©ºÏ°²È«¹ÜÀíºÍÌ¬ÊÆ¸Ð֪ƽ̨ÄÚÖÃSOAR×Ô¶¯»¯»ò°ë×Ô¶¯»¯±àÅÅÁª¶¯ÏìÓ¦´¦ÖÃÄÜÁ¦£¬Õë¶Ô¸Ã©¶´ÀûÓõĸ澯ʼþ±àÅž籾£¬½øÐÐ×Ô¶¯»¯´¦Öá£


5¡¢mansion88Ã÷ÉýÖն˲úÆ··½°¸


mansion88Ã÷ÉýÌì«‘Öն˰²È«Ò»Ì廯£¨EDR£©ÒѸ´Ïָé¶´£¬Ìṩ×Ô¶¨Òåpoc£¬¸ù¾Ý½ø³Ì¶¨Î»µ½ÏîÄ¿ËùÔÚÎļþ¼Ð»ñÈ¡node×é¼þ°æ±¾ÐÅÏ¢£¬¿É´Ó·þÎñ¶ËÏ·¢poc½øÐÐÈ«ÍøÍ¬²½ÑéÖ¤£¬Æ¥Åä©¶´×ʲú£¬Ô¤·À©¶´¹¥»÷·çÏÕ¡£



¹Ù·½¹«¸æ£º

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components