Zvikanganiso zvitsva zveRSC CVE-2025-55183 uye CVE-2025-55184 Zvinokonzera Kunetseka Kutsva Kwekuchengetedza

Home » Python » Zvikanganiso zvitsva zveRSC CVE-2025-55183 uye CVE-2025-55184 Zvinokonzera Kunetseka Kutsva Kwekuchengetedza

Piri zvikanganiso zvitsva zvakaburitswa pachena muReact Server Components (RSC) Vanyanya kutarisisa kuchengetedzeka kwemaJavaScript emazuva ano. CVE-2025-55183 uye CVE-2025-55184, zvikanganiso izvi hazvibvumidze kunyorwa kwekodhi zvakananga kure, asi zvinogona kukonzera nyonganyonga huru kuburikidza nekuramba-kwe-basa uye kuburitswa pachena kwekodhi yetsime rekare kana ikashandiswa mumamiriro ezvinhu akakodzera.

Zvipembenene izvi zvakaonekwa sechikamu chehurongwa hwakakura hwe ongororo yekuchengetedza yakakonzerwa nedambudziko guru reReact2Shell (CVE-2025-55182), iyo yakanga yatove yakakwezva kushandiswa kwechisimba musango. Kunyange zvazvo kusasimba kutsva kuri kushoma pane kushaikwa kwe10.0 CVSS yekare, zvinoratidza kuti kana bug yakakosha yave pachena, vaongorori nevapambi vanonyura zvakadzama mu nzira dziri pedyo dzeRSC code dzinotsvaga nzira dzakasiyana dzekurwisa.

Kumashure: Kubva kuReact2Shell kuenda kuNew RSC Vulnerability

Nyaya inoenderana:

React Router Inoenda Kumberi neSeva Zvikamu, Magadzirirwo Modhi, uye Yakavhurika Hutongi

Sezvo vadziviriri nechikwata cheReact vakaisa nzira dzekudzivirira React2Shell, vaongorori vekuchengetedza vakatanga kuongorora kodhi yakagadziridzwa kuti vaone kana kugadzirisa kwacho kwaigona kuitwa. yakapfuudzwa kana kuwedzerwa kuita zvinhu zvitsva zvekushandisaMaitiro aya ndiwo maitiro akajairika muindasitiri yese: kana dambudziko rakakosha ragadziriswa, logic iri pedyo uye ma interfaces anoongororwa zvakasimba kuti aone mapatani akafanana.

Panguva yekutsvagurudza uku kwakatevera ndipo pakaitwa Zvikanganiso zvitatu zvine chekuita neRSC zvakanyorwa: nyaya yekuramba basa (CVE-2025-55184), kugadziriswa kusina kukwana kwakazotevera kune mhedzisiro yakafanana (CVE-2025-67779), uye kusakwanisa kuburitsa ruzivo (CVE-2025-55183). Kunyange zvazvo CVE-2025-67779 ichikoshawo kuRSC security, chinangwa chikuru ikozvino ndechekunzwisisa maitiro matsva akatsanangurwa uye kukanganisa kweCVE-2025-55183 neCVE-2025-55184.

Pamwe chete neongororo iyi yehunyanzvi, vanhu vanopindura zviitiko vakaona nzira dzekushandisa zvombo dzichichinja-chinja dzichitenderera React2Shell, uko varwisi vanosanganisa RCE nemidziyo yemushonga mushure mekushandiswa zvisina kunaka uye kufamba kwezvombo. Kuenderera mberi kwechiitiko ichi kunoita kuti masangano akurumidze kurapa. zvese zvine chekuita nekusasimba kweRSC, kusanganisira CVE-2025-55183 uye CVE-2025-55184, sechikamu chenzvimbo imwe chete yekurwisa inoshanduka pane tupukanana twakasiyana.

Kuwanikwa uye kuburitswa pachena kwenyaya idzi zvine hungwaru kunoratidza kuti nharaunda yakakura yekuchengetedzwa, mainjiniya evatengesi uye vanotsvaga zvipembenene shandira pamwe chete kuti uomese ma framework anoshandiswa zvakanyanya seReact, kunyange vavengi vanoedza kushandisa zvombo zvakafanana.

Ruzivo rwehunyanzvi rweCVE-2025-55184: Kuramba-kwe-Sevhisi muMabasa eSevha

CVE-2025-55184 inotsanangurwa se kusakwanisa kubvumidzwa kwebasa risati raitwa (DoS) zvichikanganisa React Server Components. Mudzi wedambudziko uri munzira iyo mamwe mapakeji eRSC anobata nayo Kubviswa kwezvinyorwa zvepayloads kubva kuHTTP applications chinangwa cheServer Function endpoints.

Mune shanduro dzisina dziviriro, zvikumbiro zvakagadzirwa zvakananga zvinogona kukonzera pfungwa dzisina kuchengetedzeka dzekusada zvinhu zvemhando yepamusoro dzinowira mudenderedzwa risingaperiKana denderedzwa iri raitwa, maitiro ekubata Server Function anomira zvakanaka, zvichikonzera mamiriro ekuti application haichakwanise kushandira HTTP traffic inotevera kana kupindura zvakavimbika.

Mhedzisiro yacho inonyanya kunetsa nekuti chikanganiso chinogona kushandiswa usati wasimbisa kuti chokwadi chaitwaNemamwe mashoko, murwisi haadi humbowo hwepamutemo kana kodzero dzakakwidziridzwa kuti aedze kushandisa vamwe; runyorwa rwezvikumbiro zvine hutsinye zvakakwana kuti asunge zviwanikwa zveseva uye zvingangoita kuti gogodza sevhisi inofambiswa neRSC isina kushanda.

Zvichienderana nekuongorora kwakabudiswa, CVE-2025-55184 ine Chibodzwa cheCVSS che7.5, ichiisa muchikamu chekuomarara kwakanyanya. Kunyange zvazvo isingape kodhi yekushandisa yoga, DoS yakavimbika inorwisa chikamu chakakosha che backend stack inogona kuturikira mu njodzi dzekuwanikwa kwezvinhu, kutyorwa kwechibvumirano chebasa uye kukanganisa kwebhizinesi.

Munguva yekugadzira zvigamba, chiratidzo chakasiyana, CVE-2025-67779, yakapihwa basa rekugadzirisa dambudziko iri zvisina kukwana. CVE inotevera iyi inotarisa nzira dzasara dzichiri kukonzera mhedzisiro imwechete yekuramba basa, ichisimbisa kuti sei Kuvhara zvikanganiso zvakaoma zve deserialization kunogona kuda kudzokorora kakawanda kuti kuvhare nyaya yega yega yemucheto.

Ruzivo rwehunyanzvi rweCVE-2025-55183: Kuratidzwa kweKhodhi Yekunobva kuburikidza neZvikumbiro Zvakagadzirwa

Kana CVE-2025-55184 yakatarisana nekuwanikwa kwedata, CVE-2025-55183 ine chekuita nekuchengetedzwa kwekuchengetedzwa kwemashokoKusasimba uku kunotsanangurwa se chikanganiso chekubuda kwemashoko muReact Server Components izvo zvinogona kukonzera kuti kodhi yekodha yemamwe maServer Functions idzoserwe kune mutengi ari kure.

Muzvibvumirano zvekuchengetedzwa kwedata, chikumbiro cheHTTP chakagadzirwa zvakanaka chinotumirwa kuServer Function chakafumurwa chinogona kukonzera maitiro apo server inopindura nekodhi iri pasi pechero Basa reSeva rakanangwaRudzi urwu rwekubuda kwedata runogona kuratidza ruzivo rwekushandisa, pfungwa dzebhizinesi, tambo dzakanyorwa kana rumwe ruzivo rwakakosha runowanzo chengetedzwa nemasangano zvakananga kudivi reseva.

Zvisinei, kushandiswa kweCVE-2025-55183 kunodzivirirwa nemutemo chaiwo: panofanira kunge paine kanenge kamwe chete Basa reSeva rine interface inoburitsa nharo yakashandurwa kuita fomati yetambo, kungave pachena kana kuti zvisina kujeka. Kana maitiro aya aripo mukushandiswa kweRSC kweapplication chete ndipo panogona kuva nenjodzi kune angangoda kurwisa.

Kuongororwa kwekuchengetedzwa kunopihwa chibodzwa cheCVSS che5.3 kusvika kuCVE-2025-55183, kuchiisa muchikamu chepakati nepakati. Kunyangwe zvakadaro, kuburitswa kwekodhi yekwakabva kunogona kusakuvadza. Ruzivo rwemazita ebasa remukati, maparameter, kubata zvikanganiso uye kuyerera kwedata zvinogona kubatsira vavengi kugadzira kurwiswa kwakagadzirirwa vamwe, kuona kushaya simba kwakavanzika uye kuedza kweinjiniya phishing kana social engineering zvinoenderana zvakanyanya nemaitiro chaiwo esystem.

Kupfuura chero kukosha kwekushandiswa kwekukurumidza, kuoneka kunowanikwa kubva kuServer Function code yakaburitswa kunogona kushandura application kuita yayo pachayo. purani yekuedza kupindira mune ramangwana, kunyanya munzvimbo dzine mapatani akafanana anoonekwa mumasevhisi akawanda.

Mapakeji neMavhezheni Akakanganiswa muReact RSC Ecosystem

Kusasimba kwakanyorwa patsva kunokanganisa boka re Mapakeji ekubatanidza React Server Components, kunyanya mashandisirwo anobatanidza RSC muzvishandiso zvekuvaka uye zvekushandisa nguva. Mamodule ane chekuita neizvi ndeaya:

• pasuru ye "reaction-server-dom-parcel"
• react-server-dom-turbopack
• react-server-dom-webpack

Kune ese ari maviri CVE-2025-55184 uye CVE-2025-55183, mavhezheni akabatwa anosanganisira marekodhi akawanda e19.x. Seti yevanodzivirirwa inosanganisira 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0 uye 19.2.1Mapoka ekugadzira ari kushandisa shanduro idzi mukugadzira kana kuronga anofanirwa kufunga kuti zviitiko zvavo zvinogona kukanganiswa nekurambidzwa kwebasa kana kuburitswa kwekodhi yekodhi kana paine vanhu vasingavimbike vanofamba mumigwagwa.

Pamusoro pezvo, kugadzirisa kusina kukwana kunomiririrwa na CVE-2025-67779 inokanganisa shanduro 19.0.2, 19.1.3 uye 19.2.2Kunyange zvazvo chiratidzo ichi chichibatanidzwa nemhando imwechete yemaitiro eDoS seCVE-2025-55184, zvinoratidza kuti kunyange nzvimbo dzakavandudzwa dzinogona kuramba dzakafumurwa zvishoma kana dzikasvikwa pazviziviso izvi zvepakati.

Mhando dzeshanduro dzakakanganiswa dzinoratidza kuti Kutenderera kweRSC nekukurumidza zvinogona kuomesa manejimendi ekugadzirisa ma patch. Masangano anovandudza nguva nenguva kana kuisa kune mamwe mavhezheni madiki anogona kusaziva kuti kuburitswa kuchangosvika kunowira mukati mehwindo rakakanganiswa, zvichiita kuti kuongorora shanduro nokungwarira kwakakosha.

Zvichienderana nekuzivikanwa kweReact ecosystem uye kuwedzera kwekushandiswa kweServer Components kuti ishande zvakanaka uye iwane ruzivo kubva kuvagadziri, huwandu hwemapurogiramu anogona kunge akakanganiswa ne CVE-2025-55183 uye CVE-2025-55184 ingangosanganisira maindasitiri akasiyana-siyana uye mamodheru ekuparadzira.

Mavhezheni Akagadziriswa uye Nzira Yekusimudzira Inokurudzirwa

Kuti vagadzirise matambudziko aya, timu yeReact yakaburitsa shanduro dzakagadziriswa dzemapakeji ese matatu eRSC akanganiswaVashandisi vari kukurudzirwa kuti vatamire nekukurumidza sezvinobvira kune zvinotevera zvakagadziriswa:

• 19.0.3
• 19.1.4
• 19.2.3

Sekureva kwevanochengetedza, izvi zvitsva kugadzirisa zvizere dambudziko rekurambidzwa kwebasa rinoratidzwa neCVE-2025-55184 pamwe neCVE-2025-67779 ine chekuita nazvo, pamwe chete nenjodzi yekuburitswa kwemashoko yakatsanangurwa muCVE-2025-55183. Chinonyanya kukosha ndechekuti, vhekita yekare yeReact2Shell (CVE-2025-55182) yakavharirwawo nezvikamu zvakakura zvemapenji akaburitswa mumatavi e19.x.

Mapoka ane basa rekutumira zvinhu anokurudzirwa kuti aone izvi senzira basa rekugadzirisa zvinhu rinokosha zvikuru, kunyanya tichifunga nezvekutsvaga kwekushanda kweRSC kushaya simba kunoitwa nevaongorori vepamutemo pamwe nevatambi vane utsinye. Kana kutumirwa kwemutsara mudiki wekupedzisira kusingaite, masangano anofanira kuve nechokwadi chekuti havana kunamatira pane chero chimwe chezvivakwa zviri munjodzi zvakanyorwa zvakananga.

Semazuva ese, kuvandudza maraibhurari kunofanirwa kufambidzana ne kuyedza uye kuburitswa kwezvikamuKuwedzera kuongorora kwekudzoka kwedata paServer Functions dzakakosha, kutarisa huwandu hwezvikanganiso mushure mekuvandudzwa uye kuongorora marogi ekuona kuti haasi echokwadi here kana kuti akagadzirwa sei zvinogona kubatsira kuona kuti shanduro itsva dzinoita sezvaitarisirwa kana vanhu vakatarisa traffic chaiyo.

Kuwanikwa kwezvigamba nekukurumidza kunoratidza maonero echikwata cheReact ekuti kuburitswa kwemashoko kakawanda hakusi chiratidzo chekukundikana kugadzirisa, asi pane kutenderera kwemhinduro dzakanaka uko kudzika kwekudzivirira kunovandudza nekufamba kwenguva sezvo nyaya dzakawanda dzemupendero uye nzira dzakasiyana dzichiwanikwa uye dzichigadziriswa.

Kuwanikwa uye Kushumwa Kwematambudziko Evanhu

Zvikanganiso zvitsva zvakanyorwa zvinoratidza kushanda pamwe chete kuri kuenderera mberi pakati vaongorori vekuchengetedza vakazvimiririra uye chirongwa cheMeta chekubatsira zvikanganisoNyaya dzekurambidzwa kwebasa, CVE-2025-55184 uye CVE-2025-67779 inotevera, dzakashumwa ne RyotaK uye Shinsaku Nomura, avo vakawana rumbidzo yekuziva kuti mitoro yakaipa inogona sei kusundidzira RSC mukusateerera.

Kusakwanisa kuwana ruzivo rwakakwana, CVE-2025-55183, zvakaburitswa pachena na Andrew MacPherson, avo vakaratidza mamiriro ezvinhu ayo Server Function inogona kudzorera source code yayo kana yapihwa chikumbiro cheHTTP chakagadzirwa zvakanaka.

Zvakawanikwa izvi zvakabuda apo vaongorori vaiedza nesimba edza kushushikana kuti unzwisise zviri kuitika zveCVE-2025-55182Mukuita izvi, vakanyatsotevedzera rudzi rwebasa rekuongorora iro vapanduki vaigona kuita, asi vari mukati mehurongwa hwemishumo ine mutoro uye kugoverwa kwemachira kwakarongeka.

Chikwata cheReact chakabvuma pachena kuti mapatani akadai ndeechokwadi zvakajairika muindasitiri yesoftware, kwete mukati meJavaScript chete. Kana kachikanganiso kakanyanya kakabata pfungwa dzevanhu, vanogadzira zvinhu nevanopikisa vese vanotsvaga nzira dzekushandisa "dzakasiyana-siyana" munzira dzemakodhi dziri pedyo, dzimwe nguva zvichiratidza kusasimba kwaimboonekwa.

Nekutumira CVE-2025-55183, CVE-2025-55184 uye CVE-2025-67779 nekukurumidza uye pachena, vanochengetedza chinangwa chavo ndechekugadzirisa ramba uri pamberi pekushandisa zvombo zvinogona kuitika ukuwo vachipa masangano gwara rakajeka rekuti vangachengetedza sei kushandiswa kwavo kweReact Server Components.

Nyaya yeNjodzi: Nei Zvirwere Zvisiri zveRCE Zvichiri Kukosha

Kunyangwe matambudziko matsva aya asingabvumidze munhu anorwisa kuti aite kodhi iri kure, anogona kuramba aripo. zvishandiso zvinokosha zvikuru mubhokisi rakakura rekupindaChikanganiso chekuramba basa chakaita seCVE-2025-55184 chinogona kushandiswa kukanganisa mashandiro, kushanda sechidziviriro cheutsi chinotsausa vadziviriri kana kuongorora kuti zvivakwa zvesangano zviri pasi pemutoro wakakura sei.

Pamwe chete, vhekitori yekuburitsa kodhi yekodhi senge CVE-2025-55183 inogona kubatsira pakutsvaga ruzivoKuwana ruzivo rwemukati meServer Functions kunogona kuratidza kuti zvikumbiro zvinosimbiswa sei, kuti ndeapi ma parameter anokanganisa kuwanikwa kwedatabase, kuti zvikanganiso zvinobatwa sei uye kuti masevhisi echitatu anobatanidzwa kupi. Kuonekwa ikoko kunokosha kune vanorwisa vari kuedza kuronga kuedza kwakanyatsojeka kana kwakavanzika kwekushandisa zvisina kunaka.

Munzvimbo dzatove dzichitarisana nemigumisiro ye React2Shell (CVE-2025-55182), kusasimba uku kwakawedzera kunowedzera kuoma kwenzvimbo yese yekutyisidzira. Vadziviriri vanomanikidzwa kufunga kwete chete nezvekudzivirira kweRCE nekukurumidza asiwo kugadzikana uye kuvanzika kwemaitiro eRSC pasi pemashoko akaipa.

Kubva pamaonero ehutongi, mamiriro ezvinhu aya anoratidza chikonzero nei Mapurogiramu ekugadzirisa matambudziko anofanirwa kutarisa zvinopfuura CVSS 10.0 scores dzinotora misoro mikuruZvikanganiso zvepakati nepamusoro zvinokanganisa kuwanikwa uye kuratidzwa kwemashoko zvinogona kuramba zvichikosha, kunyanya kana zvikasanganiswa nedzimwe nzira dzekurwisa.

Pakupedzisira, izvi zvinosimbisa pfungwa yekuti kuchengetedza kushandiswa kwakachengeteka kweRSC hakusi kwekuita kamwe chete. Asi inzira inoenderera mberi ye kugadzirisa, kutarisa, kuyedza uye kuongorora kuti maServer Functions akagadzirwa sei uye anoratidzwa sei kupfuuridza nguva.

Guruva parinodzika pasi peReact2Shell emergency pamwe nezvakawanikwa zvinotevera, masangano anoshandisa React Server Components ari kusundirwa ku ongororazve mavhezheni avo ekuvimbika, omesa ma interfaces avo epadivi peseva uye pindura nekukurumidza kumazano ekuchengetedza ekumusoroNekuramba uchienderana nezvakabudiswa zvitsva uye kubatanidza kuongororwa kwekuchengetedza mumabasa avo ekuvandudza, zvikwata zvinogona kuderedza zvakanyanya mikana yevanorwisa vari kunanga CVE-2025-55183, CVE-2025-55184 uye zvimwe zvine chekuita nekusagadzikana kweRSC.