🤣 不一定客观，不一定理性，个人数字泔水\(⁠◔⁠‿⁠◔⁠)✨ Thinking...https://okhk.pages.devhttps://okhk.pages.dev/posts/8598https://okhk.pages.dev/posts/8598Tue, 27 Jan 2026 05:13:50 GMT<i><b>🔴</b></i> 另一些 RSC DoS 漏洞；请尽快更新。<br /><br />- 此漏洞影响 Next.js 13-16 及其它使用了 <mark>React</mark> Server Side Components 的相关组件。<br />- 此漏洞不会导致 RCE。<br />- 对于 <mark>React</mark>，请更新到 19.0.4/19.1.5/19.2.4。<br />- 对于 Next.js，请参考 [1] 或 [2] 中的更新方案。<br />- Vercel [2] 及 Cloudflare [3] 已经发布针对此漏洞的服务端 WAF 规则。<br /><br />CVE: CVE-2026-23864<br />CVSS: 7.5<br /><br />1. <a href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions" target="_blank">react.dev/~</a><br />2. <a href="https://vercel.com/changelog/summary-of-cve-2026-23864" target="_blank">vercel.com/~</a><br />3. <a href="https://developers.cloudflare.com/changelog/2026-01-26-waf-release/" target="_blank">developers.cloudflare.com/~</a><br /><br />thread: <a href="https://t.me/outvivid/4795" target="_blank">/4795</a><br />linksrc: <a href="https://t.me/abcthoughts/6821" target="_blank">https://t.me/abcthoughts/6821</a><br /><br /><a href="/search/result?q=%23React">#React</a> <a href="/search/result?q=%23Nextjs">#Nextjs</a><a href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components" target="_blank"> <div>react.dev</div> <img class="link_preview_image" alt="Critical Security Vulnerability in React Server Components – React" src="/static/https://cdn4.telesco.pe/file/XQdnSRItda0HcHQ0U7mgIKUf_w5QjMKggPlvIqt1bPftMiNza8VhOhxujLgnoGQSK7kRK8EaWhXsi57YHLi8iczq--i-3WvRpKTNWX3rqX404pM1JqK3RVb1s0GYZfzuZN6zVfHH2-HQNwLKvyM9ETQf9ngCEhULOnYUf-dBGhhhWeCX5ctMHx5NjYAVfuOvmG4cvjtAjyAtJak5UbzruY64W3EpvYSoqHLFGjt7z2KfqohWjV1M2d2DzoM5ptOg1m8gQLeaMCwIBVmSWw7iiw4J7gxhxcDTNvEw0wht425K9BcwrB_PI_BoUY6WMuCe0UKyswX9XnUFyNt-bNXCmA.jpg" width="1200" height="630" loading="eager" /> <div>Critical Security Vulnerability in <mark>React</mark> Server Components – <mark>React</mark></div> <div>The library for web and native user interfaces</div> </a>https://okhk.pages.dev/posts/8006https://okhk.pages.dev/posts/8006Fri, 12 Dec 2025 04:37:10 GMT<a href="/search/result?q=%23PSA">#PSA</a>: 一些<b>新的</b> <mark>React</mark> DoS/源码泄露漏洞；请尽快更新。<br /><br />- 如果上周已经就之前的 RCE 漏洞对 <mark>React</mark> 等组件进行了更新，本周依旧<b>需要</b>继续更新。<br />- 如果就此漏洞更新到了 <mark>React</mark> 19.0.2/19.1.3/19.2.2，也依旧<b>需要</b>继续更新，因为这些版本的修复不完整。<br />- 请参考 [2] 了解需要更新到的版本。<br />- <mark>React</mark> Server Side Components 相关；拒绝式服务攻击，以及服务端（服务端！）组件源码泄露。<br />- Next.js 13.3 至 14（含 13.3 及 14.x）也受此漏洞影响。<br />- <mark>react</mark>-router、waku 和几个其它 RSC 组件也受此漏洞影响。<br /><br />CVE: CVE-2025-55184, CVE-2025-67779, CVE-2025-55183<br />CVSS: 最高者为 7.5<br /><br />1. <a href="https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components" target="_blank">react.dev/~</a><br />2. <a href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions" target="_blank">react.dev/~</a><br /><br />thread: <a href="https://t.me/outvivid/4791" target="_blank">/4791</a><br /><br /><a href="/search/result?q=%23React">#React</a> <a href="/search/result?q=%23Nextjs">#Nextjs</a><a href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components" target="_blank"> <div>react.dev</div> <img class="link_preview_image" alt="Critical Security Vulnerability in React Server Components – React" src="/static/https://cdn4.telesco.pe/file/SyRzqfOmX1fBLaiyP44z8KXM6Q0sbJXTBT3URX04RQrgQs0_Tbf6rWTyU-MstBa8uZY-SUC5iL9hDlUfANk3dbjrVPJX2j6m6v08SALYMuYGMV-5JISivFU4jqdJ3Dh9-Rcq1yfNs-s-ZSE8PuPUiy1204xDUXtSYF5F3dQwxMQ3YBlFSUQwAbKmqREMzSxbiMQ2Px6SztE0gOPygosIDimldvdDOLMom6Bon6Mw4jfNTTwbutdv32pJuIeSN7evpRBJTCeoqgPfCAf84xOv5JOM-MlezNpfpaOJphLWrKP6IPE8qGQe4SCz2HzhMGdHhvVYmZm00607FFy7TLakdA.jpg" width="1200" height="630" loading="eager" /> <div>Critical Security Vulnerability in <mark>React</mark> Server Components – <mark>React</mark></div> <div>The library for web and native user interfaces</div> </a>https://okhk.pages.dev/posts/7914https://okhk.pages.dev/posts/7914Wed, 03 Dec 2025 18:25:27 GMT<a href="/search/result?q=%23PSA">#PSA</a>: <mark>React</mark> RSC 的 RCE 漏洞，影响 Next.js 等，受影响用户请立即更新。<br /><br />- 受影响版本包括 <mark>React</mark> 19.0/19.1.0/19.1.1/19.2.0 及 Next.js 15-16（以及个别 14 canary 版本）。 [1][2]<br />- 受影响用户请更新至 <mark>React</mark> 19.0.1/19.1.2/19.2.1 及 Next.js 15.0.5/15.1.9/15.2.6/15.3.6/15.4.8/15.5.7/16.0.7。<br />- <mark>React</mark> Server DOM 的反序列化逻辑存在问题，可能导致远程代码执行 (RCE) 漏洞。<br />- Cloudflare WAF 已部署修复并默认启用。 [3]<br />- 应用程序如果只在客户端使用 <mark>React</mark> 而不涉及服务端 <mark>React</mark>，则不受影响。<br />- <mark>react</mark>-router 或 waku 等库的用户可能也会受到影响。用户可以检查应用程序是否使用了 <mark>react</mark>-server-dom-{webpack,parcel,turbopack} 包。<br /><br /><br />CVE: CVE-2025-55182 (<mark>React</mark>), CVE-2025-66478 (Next.js)<br />CVSS: 10.0/10 (Critical)<br /><br />1. <a href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components" target="_blank">react.dev/~</a><br />2. <a href="https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp" target="_blank">GHSA-9qr9-h5gf-34mp</a><br />3. <a href="https://blog.cloudflare.com/waf-rules-react-vulnerability/" target="_blank">blog.cloudflare.com/~</a><br /><br /><a href="/search/result?q=%23React">#React</a> <a href="/search/result?q=%23Nextjs">#Nextjs</a><a href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components" target="_blank"> <div>react.dev</div> <img class="link_preview_image" alt="Critical Security Vulnerability in React Server Components – React" src="/static/https://cdn4.telesco.pe/file/lKI3uyPzANtKD5Vn8FirrTiqsEpvXl5qHWlsT0sGiwwtO2u20GQGUD-Gr3j3ro0CtAPBFa0yBpM90OUDok-JpIlVZIEwmX3EpyWjLdkmnyny_LcuU4owG1TtqC9UOHUm0FOXM4DIsg_28uxLowGQYblHwSQND83rc9A8ksfJCuevgDTHjVu9iK2tRk4-9OBydw_IkjjPE8HW5rcNgyA8GP_fC-GsC0FoUw28zlZtbmVMYuJnqBjDbk4jMPxPGwuOl51iLewO-18TAZ6y-rHD3i9GEV9v-eISN_cp_9jGRsuj2AYkf7ahERyMkvnolpjLjfWG-yyJFt7PrceKKIo2cQ.jpg" width="1200" height="630" loading="eager" /> <div>Critical Security Vulnerability in <mark>React</mark> Server Components – <mark>React</mark></div> <div>The library for web and native user interfaces</div> </a>