- CVE-2025-55182 muReact uye CVE-2025-66478 muNext.js inobvumira kuisirwa kure kure kodhi kuuraya kuburikidza neReact Server Components Flight protocol.
- Kukanganisa kunobva pakusachengeteka kweRSC payloads, zvichisiya kusarudzika React uye Next.js zvigadziriso zviri pachena pasina shanduko yekodhi.
- Vatsvakurudzi vekuchengetedza vanoshuma pedyo-100% kuvimbika kwekushandiswa uye vanonyevera kuti kurwiswa kwevanhu vakawanda kunogona kunge kunoongororwa zvigamba.
- Kuvandudzwa kwekukurumidza kune yakaomeswa React uye Next.js kuburitswa ndiko chete kudzikamisa kudzikiswa, kunyanya munzvimbo dzemakore uko kusvika ~40% inogona kuve panjodzi.
Kuburitswa kwe CVE-2025-55182 in React uye mapatya ayo CVE-2025-66478 in Next.js yakaisa chitarisiko chekuti server-padivi JavaScript stacks inogona sei kuita yakaderera-level maprotocol akashata. Panzvimbo yekuve niche bug, iyi ndiyo yakanyanya-kuomarara kure kure kodhi yekukanganisa inorova musimboti weReact Server Zvikamu uye Flight protocol akawanda ano mapurogiramu chinyararire zvinoenderana.
Chii chinoita kuti nyaya iyi isanyanya kugadzikana ndeyekuti default setups zvinoburitswa. A plain Next.js app yakagadzirwa ne create-next-app, yakavakirwa kugadzirwa uye kuiswa pasina chero sarudzo dzisina kujairika, inogona kukanganisika kuburikidza nechikumbiro chisina kutenderwa cheHTTP. Hapana kurongeka kwakashata, hapana exotic plugin - ingori yakajairwa zvikwata zvakawanda zvinobuda mazuva ese.
CVE-2025-55182 uye CVE-2025-66478 zvakafumurwa sei
Mudzi wedambudziko uri mu react-server kuita iyo inopa masimba React Server Zvikamu (RSC). Iyi pasuru inotsigisa iyo Flight protocol, iyo inoshandiswa kuvhara serialized component data pakati pemutengi neserver. Apo kuchengeteka muongorori Lachlan Davidson yakashuma maitiro ekufungira kuburikidza neMeta's bug bounty chirongwa mukupera kwaMbudzi, yakamisa mhinduro nekukurumidza kubva kuReact neMeta zvikwata.
Zvinoenderana nemazano everuzhinji, kusagadzikana uku kwakaziviswa neChitatu uye zvigamba zvechimbichimbi zvakatumirwa mukati memazuva mana. Uku ndiko kukurumidza kushanduka kusingaite kune imwe nyaya inobata ecosystem yakakura kudaro, uye inosimbisa kuti kukanganisa kwakakura sei: Vagadziri veReact vakaiyera ne CVSS mamakisi e10.0, iyo yakawanda inogoneka.
Mukufanana, Vercel - iyo kambani iri kumashure kweNext.js - akaongorora kuti imwechete yepasi bug yakakanganisa sei chimiro chayo. Nekuti Next.js inoshandisa imwecheteyo RSC Flight protocol paseva, yakagara nhaka utera uye yakapihwa yayo identifier, CVE-2025-66478. Vercel yakapa yambiro uye yakaburitsa zvigamba pazuva rimwechete seReact rairo, nechinangwa chekuchengeta hwindo remukana revanorwisa ripfupi sezvinobvira.
Pasinei nekukurumidza kuita, vatengesi vekuchengetedza uye vaongorori vakatanga kunyevera kuti vanorwisa vangangodzosera mainjiniya zvigadziriso nekukurumidza kwazvo, sekuonekwa mukati supply-chain kurwisa npm. Kana iyo kodhi yakavharwa yave yeruzhinji, zvinova nyore kududzira paive nebug uye kuvaka mabasa ekushanda.
Chii chaizvo chiri kutadza muReact Flight protocol?
Padanho rehunyanzvi, ese CVE-2025-55182 uye CVE-2025-66478 anovira kusvika kusachengeteka deserialization yevanorwisa-inodzorwa data mukati meFlight protocol. React Server Zvikamu zvinotumira uye ugamuchire mihoro yakarongeka, iyo sevha inozodzikisira uye inoshandisa kutyaira kuyerera kuyerera.
Iyo isina njodzi logic mu react-server nhuri yakundikana kunyatso simbisa chimiro uye zvirimo zveinouya RSC payloads. Nekutumira isina kurongeka nemaune, asi yakanyatsogadzirwa, Flight payload kune React Server Function endpoint, anorwisa anogona kufurira zvinoita sevha kana yarasa iyo data. Panzvimbo pekungovakazve benign chikamu mamiriro, iyo kodhi nzira inogona kutungamirwa mukuita yakanakira JavaScript pane server.
Nekuti iyo bug inokanganisa magadzirirwo eprotocol, hapana huchokwadi hunodiwa. Anorwisa ari kure anongoda kukwanisa kutumira zvikumbiro zveHTTP kune chero inosvikika RSC kana Server Function endpoint. Izvi zvinoshandura kusadzivirirwa kuita yakatwasuka, isina kutenderwa RCE vector: tumira chikumbiro chakagadzirwa, mirira iyo isina kuchengetedzeka deserialization, uye mubhadharo unogona kupedzisira waita kubackend.
Vatsvagiri kubva kuWiz, vakaongorora vakazvimirira nyaya iyi, vanoitsanangura se logical deserialization vulnerability pane kungopenengura tsikidzi. Mukuyedzwa kwavo, humbowo hunoshanda huzere hwepfungwa hunoitwa pedyo-100% kuvimbika mukuita kuti kodhi iitwe pane zvinangwa zvisina njodzi.
Nei default React uye Next.js deployments vari panjodzi
Chimwe chezvinhu zvinonyanya kunetsa zveaya maCVE ndechekuti zvinokanganisa zvigadziriso zvekunze kwebhokisi. Pamatambudziko mazhinji ekuchengetedza, kushandiswa kunoda mureza chaiwo, plugin isingawanzo shandiswa, kana isiri-standard deployment mode. Hazvisizvo pano.
React Server Components uye yavo Flight protocol yave zvikamu zvakakosha zvemazuva ano React 19 uye Next.js zvivakwa. Semagumo, chiyero chekugadzira chivakwa chinogadzirwa ne create-next-app inogona kushandiswa ne zero yekuwedzera kodhi kubva kumugadziri wekushandisa. Iko hakuna kudikanwa kweanorwisa kufungidzira nzira dzetsika kana bhizinesi pfungwa; kushungurudzwa kweiyo generic RSC endpoints yakakwana.
Iko kukanganisa hakugumiri kune Next.js pachayo. Chero chimiro kana chishandiso icho masumbu kana kuitazve iyo RSC Flight protocol pane server vangave vasina kusununguka. Mazano eruzhinji uye kuchengetedza kunyora-ups kunoratidza akati wandei akakanganisika ecosystem:
- Inotevera.js, iyo inonyanya kuzivikanwa chimiro chakakanganisika zasi kwerwizi
- Vite RSC plugin (
@vitejs/plugin-rsc) - Parcel RSC plugin (
@parcel/rsc) - React Router RSC preview
- RedwoodSDK (inowanzo kutaurwa se
rwsdk) - Waku uye mamwe maRSC-enabled toolchains
MuReact pachayo, iyo bug inokanganisa shanduro 19.0, 19.1.0, 19.1.1 uye 19.2.0 yemapakeji akakodzera. Vagadziri vanotaura kuti kukwidziridza kusvika ku19.0.1, 19.1.2 kana 19.2.1 inopa maitiro akaoma uye inobvisa kusagadzikana. Next.js ine inofambirana yakagadziriswa kuburitswa inobatanidza iyo yakachikwa React server logic.
Vamwe vanopa zvivakwa vakajekesa miganhu yekukanganisa. Semuenzaniso, Google yakataura izvozvo yeruzhinji OS mifananidzo yeCompute Injini haina njodzi nekukasira, sezvo vasingatumire React kana Next.js ready-made; njodzi inobuda kana vashandisi vakaisa dzakakanganisika shanduro dzeaya masisitimu pamusoro peiyo base mifananidzo.
Kuvhuvhuta kwakakura sei mugore?
Huyero hwenyaya hunouya mukutarisa kana uchitarisa kuti yakawanda sei React uye Next.js inoshandiswa mukugadzira. React inosimbisa mashandisirwo emushandisi emapuratifomu makuru akadai Facebook, Instagram, Netflix, Airbnb, Shopify, Walmart, Asana nevamwe vakawanda. Pamusoro peizvozvo, asingaverengeki madiki maapplication uye emukati dashboards akavakwa ane zvakafanana zvikamu uye masisitimu.
Zvikwata zvehungwaru zvekutyisidzira paWiz zvakaongorora telemetry kubva kumakore nharaunda ndokuona kuti inenge 39-40% yemakore ekutumirwa ane njodzi yeReact kana Next.js. YeNext.js chete, iyo framework inoonekwa mune roughly 69% yenzvimbo dzakaongororwa, uye pamusoro 61% yeavo, maapplication akatarisana neruzhinji ari kushanda pamusoro payo. Kana ukabatanidza iwo mapejisenti, zvinoreva kuti zvakangoita 44% yezvese zvakacherechedzwa cloud environments zvinotambira pachena Next.js zviitiko, zvisinei neshanduro chaiyoiyo.
Izvo zvinopindirana pakati pemukurumbira uye kusagadzikana ndizvo zvinovhundutsa vadziviriri. Kana stack yakashandiswa zvakanyanya iine yakanyanya-kuoma, isina kutenderwa RCE bug ine yakavimbika nzira yekushandisa, mukana uye kurwiswa kwakanangwa kwakatovimbiswa kutevera. Kunyangwe masangano anokurumidza kukurumidza anogona kutarisana nehwindo pfupi uko magumo akafumurwa anogona kuongororwa uye kukanganisa.
Panguva yekutanga kuziviswa, hapana kusimbiswa mu-mu-mu-mu-kubiridzira kwakanga kwashumwa pachena. Nekudaro, vaongorori vekuchengetedza vazhinji, kusanganisira nyanzvi kubva kuRapid7 uye watchTowr, vakasimbisa kuti zvine musoro kufunga kuti vanotyisidzira vatove kudzosera kumashure mainjiniya, kutsvaga masevhisi asina kunyorwa uye kuvaka otomatiki cheni dzekurwisa.
Zviri kutaurwa nevaongorori nevatengesi nezve njodzi yekushandisa
Mashoko kubva kunharaunda yekuchengetedza anopenda mufananidzo wakafanana: iri harisi dambudziko redzidziso, uye chipingamupinyi chekupinda kwevanorwisa chakaderera. Benjamin Harris, CEO wewatchTowr, akatsanangura kukanganisa se njodzi huru kune vashandisi veimwe yepasirese yakatekeshera pawebhu masisitimu uye akasimbisa kuti kushandiswa kunoda “zvinodikanwa zvishoma”.
Vatsvagiri veWiz vakatsinhira ongororo iyi mushure mekuyedza ese ari munjodzi uye ane zvigamba shanduro. Zviyedzo zvavo zvemukati zvakaratidza kuti mihoro yakagadzirwa yakashandiswa kushandisa zvisina kuchengetedzeka deerialization yakawana. pedyo-100% kubudirira kwehuwandu mukukonzeresa yakazara kure kodhi kuuraya pamaseva akakanganisika. Vaonawo kuti kurwisa kwacho zviri kure uye hazvina kuvimbiswa, inofambiswa zvachose nezvikumbiro zvakavakwa zveHTTP.
Kubva pakuona kweRapid7, tarisiro ndeyekuti kunyora kwehunyanzvi uye humbowo-hwe-pfungwa dzekushandisa zvinozoonekwa kana vanhu vakakwana vapatsanura zvigamba.. Izvo, zvakare, zvingango wedzera kutsvagisa uye kuedza kushandiswa kwehuwandu, kunyanya kutarisana nemhoteredzo yemakore ine akawanda akatarisana neinternet maapplication.
Kunyangwe kunze kwenharaunda yevatengesi, indasitiri midhiya midhiya yakagadzira aya maCVE sekuisa chikamu chakakosha cheinternet panjodzi. Kuzivisa kwakaratidza kwete kuomarara chete asiwo huwandu hwemasaiti akakura evatengi, SaaS mapuratifomu uye API backends inovimba neReact uye Inotevera.js kune yavo yekumberi uye server-padivi rekupa.
Matanho ekuderedza: chii React uye Next.js vashandisi vanofanira kuita ikozvino
Kune zvikwata zvinomhanya React kana Inotevera.js mukugadzira, nhungamiro kubva kune vanochengeta uye nevatsvaguri vanosangana pachinhu chakareruka: kukwidziridza kune zvigamba vhezheni ndiyo yega inogadzirisa kugadzirisa. Iko hakuna magadzirirwo ekugadzirisa kana generic WAF mitemo inogona kugadzirisa zvizere maitiro asina kuchengetedzeka ekuita deerialization muFlight protocol.
Chikwata cheReact chinokurudzira kuti chero munhu ari pamapazi akabatwa inoenda kune yakaomeswa yakaburitswa 19.0.1, 19.1.2 kana 19.2.1, kuva nechokwadi chokuti react-server package inosanganisirwa mukuvandudza. YeNext.js, Vercel yakaburitsa yakagadziriswa inovaka iyo inobatanidza iyo yakadhindwa RSC kubata. Mamaneja anofanirwa kubvunza iyo yepamutemo Next.js kuraira kuti vaone iyo shoma yakachengeteka vhezheni yetambo yavo yekuburitsa yakasarudzwa.
Masangano anovimba nevamwe RSC-enabled frameworks - senge Redwood, Waku, React Router's RSC preview, kana Vite neParcel RSC plugins - vanorairwa kuti tarisa anowirirana ekuburitsa zvinyorwa uye chengetedzo nzira. Muzviitiko zvakawanda, mapurojekiti aya anongoputira kana kuunganidza zvikamu zveReact's server, saka kugadzirisa React pachayo uyezve kudhonza iyo yazvino chimiro chekudzokorora kunodiwa.
Kupfuura kupeta kwakatwasuka, maturusi akatarisana nemakore ari kushandiswa kuvhima zviitiko zvisina njodzi pamwero. Vatengi veWiz, semuenzaniso, vanogona kupinda mumibvunzo uye kuraira muWiz Threat Center kuti vawane kwakakanganiswa shanduro dzeReact kana Next.js dzakaiswa munzvimbo dzavari. Mamwe masangano ari kushandisa zviwanikwa zveasset, data reSBOM uye kutariswa kwemidziyo kuti vaonekwe zvakafanana.
Kana paine chero chiratidzo chekuti masisitimu anogona kunge akatonangwa kana kukanganiswa kuburikidza nemaCVE aya, tsigiro yemhinduro yechiitiko inokurudzirwa. Vamwe vatengesi vanokoka chaizvo vatengi vanofungidzira kushandiswa kweCVE-2025-55182 kana CVE-2025-66478 kuti vabate zvikwata zvavo zveIR kuti vabatsirwe ne triage, midziyo uye forensics.
Izvi zvinoratidzei nezveJavaScript yewebhu ecosystem
Kunyangwe zvigamba zveReact neNext.js zvichivhara gomba riripo, chiitiko chinomutsa mibvunzo yakafara pamusoro pekuti server-padivi JavaScript masisitimu anobata sei data risingavimbike. Maprotocol akaita seFlight anogara mukati-kati memurwi, akavigwa kuseri kwezvibodzwa izvo vanogadzira havawanzo ongorora zvakananga, zvinoreva kuti zvikanganiso zvinogona kuve nemhedzisiro yakakura zvisati zvaonekwa.
Izvo izvo hunhu husina njodzi hwakatumirwa mukusarudzika, zvakasimudzirwa zvakanyanya zvigadziriso zvakare inosimbisa kusawirirana pakati peruzivo rwemugadziri uye yakachengeteka-by-default dhizaini. Zvimiro zvinoita kuti kuvaka maapplication emazuva ano kuve nyore - senge sevhisi zvikamu uye seamless serialization pakati pemutengi neseva - inogona kuunza chinyararire nzvimbo dzakaoma dzekurwisa.
Kune zvikwata zvekuchengetedza, iyi nyaya ndechimwe chiyeuchidzo icho dhizaini-level kusasimba kunogona kushanduka pakarepo kuita musangano-kuratidzwa kwese. Chipembenene chimwe chete mune yakakurumbira yakavhurika sosi chikamu chinogona kuoneka pamwoyo pezvizhinji zvezvishandiso zvakasiyana, microservices uye maturusi emukati, kunyanya kana midziyo nematemplate zvichishandiswazve.
Padivi rakanaka, mhinduro kubva kune React vagadziri, Meta uye Vercel inoratidza izvozvo kuburitsa pachena kwakarongeka uye kukurumidza chigamba kuvandudza zvinogoneka kunyangwe muhombe dzezvipenyu. Mazano akajeka, zvigadziriso zveshanduro uye kurongeka nevatengesi vekuchengetedza zvakabatsira vadziviriri kukoshesa nyaya iyi pakati pekunetsekana kwakawanda.
Tichitarisa kumberi, vacherechedzi vazhinji vanotarisira kuenderera mberi kwekuongorora serialization, deserialization uye protocol parsing logic muwebhu masisitimu. Kana CVE-2025-55182 uye CVE-2025-66478 ichikurudzira kuyedzwa kwakarongeka uye kusimbiswa kwakasimba kwezvikamu zvakaita seFlight, mamwe mabhenefiti ekuchengetedza kwenguva refu anogona kubuda muchiitiko chakakomba.
Parizvino, zvikwata zvinomhanya React kana Next.js stacks zviri munhangemutange pakati chigamba deployment uye anorwisa otomatiki. Iine yakanyanya-kuomarara RCE inokanganisa magadzirirwo akasarudzika, kuvepo kwegore uye kuvimbika kwepamusoro nzira dzekushandisa dzakatoratidzwa mukutsvagisa, kuchengetedza nharaunda idzi dzakachengeteka kunobva pakuti masangano angakurumidza sei kuziva kwaanofumurwa uye kufambisa zvese kune zvakaomeswa zvinoburitswa.
