编译 | Tina、冬梅上周刚追完 10 级补丁，以为能喘口气了？还不行。12 月 12 日，React 官方确认，研究人员在验证上周补丁时，竟又在 React Server Components（RSC）里发现了两处新漏洞。过去一周，React2Shell 漏洞的余威仍在：服务器被劫持挖矿、云厂商紧急封禁、甚至引发 Cloudflare ...

来自Wiz、Palo Alto Networks旗下Unit 42、Google ...

IT之家 12 月 4 日消息，热门 JavaScript 框架 React 昨日发布官方公告，React Server Components 中存在一个未经身份验证的远程代码执行漏洞，建议开发者立即升级修补漏洞。 11 月 29 日，Lachlan Davidson 报告了 React 中的一个安全漏洞，该漏洞允许通过利用 React 解码发送到 ...

The explosive, easy-to-trigger vulnerability was exploited within hours of disclosure, exposing the risks of default ...

React2Shell (CVE-2025-55182) is a critical vulnerability affecting the most widely used React-based services across the web ecosystem. With low exploitation complexity and publicly available PoCs, ...

Unlike server-side rendering, React Server Components aim to fully replace client-side functionality with work done on the server. Let’s see how this works. React remains a flagship among front-end ...

In early December 2025, the React core team disclosed two new vulnerabilities affecting React Server Components (RSC). These issues – Denial-of-Service and Source Code Exposure were found by security ...

December 2025, the RondoDox botnet operators have been targeting Next.js servers impacted by the React2Shell vulnerability.

While the critical-severity flaw in a popular open-source library has seen exploitation, the ‘vast majority’ of organizations will not be vulnerable, according to well-known researcher Kevin Beaumont.