如果你在用 React 19 / Next.js 15 / 16， 这篇就当是一个温柔但坚决的催命信： Vercel 已经出手，在它的全球 Web Application Firewall（WAF）上， 加了一层拦截规则，免费帮所有托管在上面的项目挡一波。

近期，聚铭安全攻防实验室监测发现了一项与React Server Components相关的远程代码执行漏洞， 该漏洞已被披露，编号为 CVE-2025-55182，CVSS 评分为 10.0 。

过去一周，React2Shell 漏洞的余威仍在：服务器被劫持挖矿、云厂商紧急封禁、甚至引发 ；为了把风险压下去，Vercel 甚至在一个周末就付出了 75 万美元的漏洞赏金与应急处置成本。一次前端框架的漏洞，直接打穿了整个技术栈。React 官方连续发布紧急通告，反复强调“请立即升级”，短时间内已经是第二次大规模补丁更新。

A maximum severity vulnerability, dubbed 'React2Shell', in the React Server Components (RSC) 'Flight' protocol allows remote code execution without authentication in React and Next.js applications.

A newly discovered security flaw in the React ecosystem — one of the most widely used technologies on the web — is prompting ...

Critical RSC flaws in React and Next.js enable unauthenticated remote code execution; users should update to patched versions ...

A CVSS 10 rate critical vulnerability impacts React Server Components in versions 19.0–19.2.0. A patched update has been ...

A critical-severity vulnerability impacting the popular React open-source library deserves attention, but is far from the ...

React2Shell (CVE-2025-55182) is a critical vulnerability affecting the most widely used React-based services across the web ...

A monthly overview of things you need to know as an architect or aspiring architect. Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with ...