好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。首先,我得仔细阅读用户提供的文章内容,理解其主要信息。 文章主要讲的是React2Shell漏洞,这是一个严重的安全问题,CVSS评分为10。漏洞允许未经认证的远程代码执行,影响React Server Components。文章提到该漏洞是在2025年11月29日被报告的,12月1日修复,并于3日公开披露。修复版本包括多个React组件库的版本。 此外,文章还提到Intigriti团队观察到相关漏洞报告数量增加,并建议企业及时修补漏洞,并利用专家研究人员确保没有遗漏。同时,鼓励公司通过漏洞赏金计划和漏洞披露计划来激励研究人员。 接下来,我需要将这些关键点浓缩到100字以内。要确保涵盖漏洞名称、影响、CVSS评分、修复时间、建议措施以及Intigriti的观察。 可能会这样组织语言:React2Shell是一个CVSS 10的严重漏洞,影响React Server Components。允许远程代码执行,已修复并公开。建议及时更新和使用专家检查。Intigriti团队观察到大量报告。 再检查一下字数是否在限制内,并确保信息准确无误。 </think> 这篇文章探讨了React2Shell这一严重安全漏洞(CVSS 10),影响React Server Components。该漏洞允许未经认证的远程代码执行,已在多个版本中被修复。文章建议用户更新至最新版本,并利用专家进行检查以确保安全。 2025-12-5 00:0:0 Author: www.intigriti.com(查看原文) 阅读量:2 收藏
This blog explores the widespread and critical state of the React2Shell vulnerability. It provides a technical overview, suggested mitigations, and actions to safeguard people, processes, and data, as well as a review of what our team has experienced and seen off the back of this vulnerability.
Please note that as more is learnt, Intigriti continues to update reports, provide information on what our triage team and researchers are seeing, and will be regularly updating this content with the latest patches and fixes.
On the 3rd of December 2025, React, which is an open-source front-end JavaScript library, released a blog entitled ‘Critical Security Vulnerability in React Server Components’ which details a maximum severity vulnerability (CVSS 10).
This vulnerability (CVE-2025-55182) has been named React2Shell (the name being a gesture to Log4Shell).
According to the release, React2Shell was reported on the 29th of November. ‘Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.’
On December 1st, a fix was created, and the React team began to implement mitigations and rolled out the fix. December 3rd, and the fix was published and publicly disclosed as CVE-2025-55182.
At the time the blog was released, the vulnerability was present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
An important thing to note here is that even if your app does not implement any React Server Function endpoints, the blog highlights that you may still be vulnerable if your app supports React Server Components.
There are numerous mechanisms to identify if an asset is running React Server Components (RSC), but identifying presence is not enough to determine whether an asset is vulnerable.
React aims to make building user interfaces based on components seamless. React delivers integration points, as well as tools, that frameworks use to run code. What React does is translate the client's HTTP requests, which are then forwarded to the server. There, on the server, the HTTP request is translated into a function call to return the required data to the client.
Now, with React2Shell, a malicious HTTP request could be crafted and sent to a server function endpoint, and, when reserialized by React, can then execute remote code execution on said server.
What we, the Intigriti team, have noticed off the back of this is an increase in the number of submissions in the triage queue based on this vulnerability.
Since the vulnerability was first reported, Intigriti has received over a hundred of total reports regarding React2Shell.
The majority of these reports have been confirmed to be vulnerable and exploitable.
While there is a cooldown period for recently discovered vulnerabilities, we are seeing companies reward bonuses to show their gratitude for being made aware of this issue.
First, we recommend that you patch to the latest versions and apply the latest updates. This blog provides patches for each of the impacted elements.
While your team may be fixing and patching internally, this is a great time to leverage expert researchers to ensure no elements are missed.
Tips to maximize the value brought to you by your Bug Bounty and Vulnerability Disclosure Programs (VDPs) include:
Let researchers know where they should focus their efforts by keeping your policy page up to date.
Consider incentivizing researchers to investigate and, if you feel like you have already remediated the issue, set up an additional incentive to uncover blind spots.
While most submissions will be made via bug bounty programs, for VDPs, it is still worth updating your community if you are accepting React2Shell reports, as these may be submitted through VDPs as well.
Companies that are quick to move and remediate will have the best results in lowering the impact of this vulnerability.
For more information or to speak with a member of our team, contact us here.
如有侵权请联系:admin#unsafe.sh