Blog

React 服务器组件中的服务拒绝和源代码泄露

2025年12月11日 由 React 团队

🌐 December 11, 2025 by The React Team

更新于2026年1月26日.

🌐 Updated January 26, 2026.

安全研究人员在尝试利用上周关键漏洞的补丁时,发现并披露了 React 服务器组件中的另外两个漏洞。

🌐 Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability.

这些新的漏洞不允许远程代码执行。 React2Shell 的补丁仍然有效,可以缓解远程代码执行漏洞。

新的漏洞披露如下:

🌐 The new vulnerabilities are disclosed as:

由于新披露的漏洞严重性,我们建议立即升级。

🌐 We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities.

注意

之前发布的补丁存在漏洞。

🌐 The patches published earlier are vulnerable.

如果你已经更新了之前的漏洞,你将需要再次更新。

🌐 If you already updated for the previous vulnerabilities, you will need to update again.

如果你已更新到 19.0.3、19.1.4 和 19.2.3,这些是不完整的,你将需要再次更新。

🌐 If you updated to 19.0.3, 19.1.4, and 19.2.3, these are incomplete, and you will need to update again.

请参见 上一条帖子的说明 了解升级步骤。

🌐 Please see the instructions in the previous post for upgrade steps.

更新于2026年1月26日.

🌐 Updated January 26, 2026.

这些漏洞的更多细节将在修复完成后提供。

🌐 Further details of these vulnerabilities will be provided after the rollout of the fixes are complete.

需要立即行动

🌐 Immediate Action Required

这些漏洞存在于与 CVE-2025-55182 相同的包和版本中。

🌐 These vulnerabilities are present in the same packages and versions as CVE-2025-55182.

这包括以下版本:19.0.0、19.0.1、19.0.2、19.0.3、19.1.0、19.1.1、19.1.2、19.1.3、19.2.0、19.2.1、19.2.2 和 19.2.3:

🌐 This includes 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2, and 19.2.3 of:

修复已回溯到版本 19.0.4、19.1.5 和 19.2.4。如果你正在使用上述任何一个版本的包,请立即升级到任意修复后的版本。

🌐 Fixes were backported to versions 19.0.4, 19.1.5, and 19.2.4. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

和以前一样,如果你的应用的 React 代码不使用服务器,你的应用不会受到这些漏洞的影响。如果你的应用不使用支持 React 服务器组件的框架、打包工具或打包插件,你的应用也不会受到这些漏洞的影响。

🌐 As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

注意

关键的 CVE 通常会发现后续漏洞。

🌐 It’s common for critical CVEs to uncover follow‑up vulnerabilities.

当关键漏洞被披露时,研究人员会仔细检查相邻的代码路径,寻找变体利用技术,以测试初始缓解措施是否可以被绕过。

🌐 When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.

这种模式在整个行业中都会出现,而不仅仅是在 JavaScript 中。例如,在 Log4Shell 之后,当社区对原始修复进行探查时,又报告了额外的 CVE(12)。

🌐 This pattern shows up across the industry, not just in JavaScript. For example, after Log4Shell, additional CVEs (1, 2) were reported as the community probed the original fix.

额外的披露可能令人沮丧,但它们通常是健康反应周期的标志。

🌐 Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.

受影响的框架和打包工具

🌐 Affected frameworks and bundlers

一些 React 框架和打包工具依赖于、具有对等依赖或包含易受攻击的 React 包。以下 React 框架和打包工具受影响:nextreact-routerwaku@parcel/rsc@vite/rsc-pluginrwsdk

🌐 Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk.

请参见 上一条帖子的说明 了解升级步骤。

🌐 Please see the instructions in the previous post for upgrade steps.

托管服务提供商缓解措施

🌐 Hosting Provider Mitigations

和以前一样,我们已经与多家托管服务提供商合作,采取了临时缓解措施。

🌐 As before, we have worked with a number of hosting providers to apply temporary mitigations.

你不应该依赖这些来保护你的应用,并且仍然需要立即更新。

🌐 You should not depend on these to secure your app, and still update immediately.

React Native

对于不使用 monorepo 或 react-dom 的 React Native 用户,你的 react 版本应固定在 package.json 中,并且不需要其他步骤。

🌐 For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.

如果你在 monorepo 中使用 React Native,你应该只更新已安装的受影响的包:

🌐 If you are using React Native in a monorepo, you should update only the impacted packages if they are installed:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

这是为了缓解安全公告,但你不需要更新 reactreact-dom,所以这不会在 React Native 中导致版本不匹配错误。

🌐 This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native.

有关更多信息,请参见此问题

🌐 See this issue for more information.

高严重性:多重拒绝服务

🌐 High Severity: Multiple Denial of Service

CVE编号: CVE-2026-23864 基础分数: 7.5(高) 日期: 2026年1月26日

安全研究人员发现 React 服务器组件中仍然存在额外的 DoS 漏洞。

🌐 Security researchers discovered additional DoS vulnerabilities still exist in React Server Components.

这些漏洞是通过向服务器功能端点发送特制的 HTTP 请求触发的,可能导致服务器崩溃、内存不足异常或过度 CPU 使用;具体取决于被利用的易受攻击的代码路径、应用配置和应用代码。

🌐 The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.

2023年1月26日发布的补丁缓解了这些拒绝服务(DoS)漏洞。

🌐 The patches published January 26th mitigate these DoS vulnerabilities.

注意

已发布附加修复

🌐 Additional fixes published

针对 CVE-2025-55184 中的 DoS 的原始修复不完整。

🌐 The original fix addressing the DoS in CVE-2025-55184 was incomplete.

这使得之前的版本存在漏洞。版本 19.0.4、19.1.5、19.2.4 是安全的。

🌐 This left previous versions vulnerable. Versions 19.0.4, 19.1.5, 19.2.4 are safe.

更新于2026年1月26日.

🌐 Updated January 26, 2026.

高严重性:拒绝服务

🌐 High Severity: Denial of Service

漏洞编号(CVEs): CVE-2025-55184CVE-2025-67779 基础评分: 7.5(高)

安全研究人员发现,可以构造并发送恶意 HTTP 请求到任何服务器函数端点,当这些请求被 React 反序列化时,可能会导致无限循环,从而使服务器进程挂起并消耗 CPU。即使你的应用没有实现任何 React 服务器函数端点,如果你的应用支持 React 服务器组件,它仍可能存在漏洞。

🌐 Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

这会产生一个漏洞向量,攻击者可能阻止用户访问该产品,并可能对服务器环境的性能产生影响。

🌐 This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment.

今天发布的补丁通过防止无限循环来缓解问题。

🌐 The patches published today mitigate by preventing the infinite loop.

中等严重性:源代码泄露

🌐 Medium Severity: Source Code Exposure

CVE: CVE-2025-55183 基础分数: 5.3 (中等)

一名安全研究人员发现,发送到易受攻击的服务器功能的恶意 HTTP 请求可能不安全地返回任何服务器功能的源代码。利用该漏洞需要存在明确或隐式暴露字符串化参数的服务器功能:

🌐 A security researcher has discovered that a malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument:

'use server';

export async function serverFunction(name) {
  const conn = db.createConnection('SECRET KEY');
  const user = await conn.createUser(name); // implicitly stringified, leaked in db

  return {
   id: user.id,
   message: `Hello, ${name}!` // explicitly stringified, leaked in reply
  }}

攻击者可能能够泄露以下信息:

🌐 An attacker may be able to leak the following:

0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"}
1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"}

今天发布的补丁防止将服务器函数的源代码转换为字符串。

🌐 The patches published today prevent stringifying the Server Function source code.

注意

只有源代码中的秘密可能会被暴露。

🌐 Only secrets in source code may be exposed.

硬编码在源代码中的秘密可能会被暴露,但运行时的秘密,如 process.env.SECRET,不会受到影响。

🌐 Secrets hardcoded in source code may be exposed, but runtime secrets such as process.env.SECRET are not affected.

暴露的代码范围仅限于服务器函数内部的代码,这可能包括其他函数,具体取决于你的打包工具提供的内联量。

🌐 The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides.

始终与生产包进行核对。

🌐 Always verify against production bundles.

时间线

🌐 Timeline

  • 12月3日:泄露事件由 Andrew MacPherson 向 Vercel 和 Meta 漏洞奖金计划 报告。
  • 12月4日:最初的DoS由RyotaKMeta漏洞赏金报告。
  • 12月6日:React 团队确认了这两个问题,并开始进行调查。
  • 12月7日:已创建初步修复,React 团队开始进行验证并规划新的补丁。
  • 12月8日:受影响的托管提供商和开源项目已收到通知。
  • 12月10日:托管服务提供商已实现缓解措施并验证了补丁。
  • 12月11日:Shinsaku Nomura 向 Meta Bug Bounty 报告了额外的 DoS 漏洞。
  • 12月11日:补丁发布并公开披露为 CVE-2025-55183CVE-2025-55184
  • 12月11日:内部发现遗失的DoS漏洞案例,已修补并公开披露为CVE-2025-67779
  • 1月26日:发现了额外的拒绝服务(DoS)漏洞,已修补,并作为 CVE-2026-23864 公开披露。---

归因

🌐 Attribution

感谢 Andrew MacPherson (AndrewMohawk) 报告源代码泄露问题,感谢 GMO Flatt Security Inc 的 RyotaK 和 Bitforest Co., Ltd. 的 Shinsaku Nomura 报告拒绝服务漏洞。感谢 Winfunc ResearchMufeed VHJoachim Viide、GMO Flatt Security Inc 的 RyotaK 以及腾讯安全 YUNDING LAB 的张祥伟报告额外的拒绝服务漏洞。

🌐 Thank you to Andrew MacPherson (AndrewMohawk) for reporting the Source Code Exposure, RyotaK from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities. Thank you to Mufeed VH from Winfunc Research, Joachim Viide, RyotaK from GMO Flatt Security Inc and Xiangwei Zhang of Tencent Security YUNDING LAB for reporting the additional DoS vulnerabilities.

上一章The React Foundation: A New Home for React Hosted by the Linux Foundation
下一章Critical Security Vulnerability in React Server Components