From cffb6a7b7d00fbe09df5b40d1731e1055bff0900 Mon Sep 17 00:00:00 2001 From: "Sebastian \"Sebbie\" Silbermann" Date: Thu, 11 Dec 2025 07:27:20 +0100 Subject: [PATCH 01/10] Specify that Effects run on commit, not render (#8162) --- src/content/reference/react/useEffect.md | 26 +++++++++---------- .../reference/react/useLayoutEffect.md | 4 +-- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/content/reference/react/useEffect.md b/src/content/reference/react/useEffect.md index da310c762..85389c62e 100644 --- a/src/content/reference/react/useEffect.md +++ b/src/content/reference/react/useEffect.md @@ -44,9 +44,9 @@ function ChatRoom({ roomId }) { #### Parameters {/*parameters*/} -* `setup`: The function with your Effect's logic. Your setup function may also optionally return a *cleanup* function. When your component is added to the DOM, React will run your setup function. After every re-render with changed dependencies, React will first run the cleanup function (if you provided it) with the old values, and then run your setup function with the new values. After your component is removed from the DOM, React will run your cleanup function. +* `setup`: The function with your Effect's logic. Your setup function may also optionally return a *cleanup* function. When your [component commits](/learn/render-and-commit#step-3-react-commits-changes-to-the-dom), React will run your setup function. After every commit with changed dependencies, React will first run the cleanup function (if you provided it) with the old values, and then run your setup function with the new values. After your component is removed from the DOM, React will run your cleanup function. -* **optional** `dependencies`: The list of all reactive values referenced inside of the `setup` code. Reactive values include props, state, and all the variables and functions declared directly inside your component body. If your linter is [configured for React](/learn/editor-setup#linting), it will verify that every reactive value is correctly specified as a dependency. The list of dependencies must have a constant number of items and be written inline like `[dep1, dep2, dep3]`. React will compare each dependency with its previous value using the [`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) comparison. If you omit this argument, your Effect will re-run after every re-render of the component. [See the difference between passing an array of dependencies, an empty array, and no dependencies at all.](#examples-dependencies) +* **optional** `dependencies`: The list of all reactive values referenced inside of the `setup` code. Reactive values include props, state, and all the variables and functions declared directly inside your component body. If your linter is [configured for React](/learn/editor-setup#linting), it will verify that every reactive value is correctly specified as a dependency. The list of dependencies must have a constant number of items and be written inline like `[dep1, dep2, dep3]`. React will compare each dependency with its previous value using the [`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) comparison. If you omit this argument, your Effect will re-run after every commit of the component. [See the difference between passing an array of dependencies, an empty array, and no dependencies at all.](#examples-dependencies) #### Returns {/*returns*/} @@ -107,14 +107,14 @@ You need to pass two arguments to `useEffect`: **React calls your setup and cleanup functions whenever it's necessary, which may happen multiple times:** 1. Your setup code runs when your component is added to the page *(mounts)*. -2. After every re-render of your component where the dependencies have changed: +2. After every commit of your component where the dependencies have changed: - First, your cleanup code runs with the old props and state. - Then, your setup code runs with the new props and state. 3. Your cleanup code runs one final time after your component is removed from the page *(unmounts).* **Let's illustrate this sequence for the example above.** -When the `ChatRoom` component above gets added to the page, it will connect to the chat room with the initial `serverUrl` and `roomId`. If either `serverUrl` or `roomId` change as a result of a re-render (say, if the user picks a different chat room in a dropdown), your Effect will *disconnect from the previous room, and connect to the next one.* When the `ChatRoom` component is removed from the page, your Effect will disconnect one last time. +When the `ChatRoom` component above gets added to the page, it will connect to the chat room with the initial `serverUrl` and `roomId`. If either `serverUrl` or `roomId` change as a result of a commit (say, if the user picks a different chat room in a dropdown), your Effect will *disconnect from the previous room, and connect to the next one.* When the `ChatRoom` component is removed from the page, your Effect will disconnect one last time. **To [help you find bugs,](/learn/synchronizing-with-effects#step-3-add-cleanup-if-needed) in development React runs setup and cleanup one extra time before the setup.** This is a stress-test that verifies your Effect's logic is implemented correctly. If this causes visible issues, your cleanup function is missing some logic. The cleanup function should stop or undo whatever the setup function was doing. The rule of thumb is that the user shouldn't be able to distinguish between the setup being called once (as in production) and a *setup* → *cleanup* → *setup* sequence (as in development). [See common solutions.](/learn/synchronizing-with-effects#how-to-handle-the-effect-firing-twice-in-development) @@ -1145,7 +1145,7 @@ useEffect(() => { #### Passing a dependency array {/*passing-a-dependency-array*/} -If you specify the dependencies, your Effect runs **after the initial render _and_ after re-renders with changed dependencies.** +If you specify the dependencies, your Effect runs **after the initial commit _and_ after commits with changed dependencies.** ```js {3} useEffect(() => { @@ -1242,7 +1242,7 @@ button { margin-left: 5px; } #### Passing an empty dependency array {/*passing-an-empty-dependency-array*/} -If your Effect truly doesn't use any reactive values, it will only run **after the initial render.** +If your Effect truly doesn't use any reactive values, it will only run **after the initial commit.** ```js {3} useEffect(() => { @@ -1319,7 +1319,7 @@ export function createConnection(serverUrl, roomId) { #### Passing no dependency array at all {/*passing-no-dependency-array-at-all*/} -If you pass no dependency array at all, your Effect runs **after every single render (and re-render)** of your component. +If you pass no dependency array at all, your Effect runs **after every single commit** of your component. ```js {3} useEffect(() => { @@ -1480,7 +1480,7 @@ Now that you're passing `c => c + 1` instead of `count + 1`, [your Effect no lon ### Removing unnecessary object dependencies {/*removing-unnecessary-object-dependencies*/} -If your Effect depends on an object or a function created during rendering, it might run too often. For example, this Effect re-connects after every render because the `options` object is [different for every render:](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally) +If your Effect depends on an object or a function created during rendering, it might run too often. For example, this Effect re-connects after every commit because the `options` object is [different for every render:](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally) ```js {6-9,12,15} const serverUrl = 'https://localhost:1234'; @@ -1497,7 +1497,7 @@ function ChatRoom({ roomId }) { const connection = createConnection(options); // It's used inside the Effect connection.connect(); return () => connection.disconnect(); - }, [options]); // 🚩 As a result, these dependencies are always different on a re-render + }, [options]); // 🚩 As a result, these dependencies are always different on a commit // ... ``` @@ -1583,7 +1583,7 @@ With this fix, typing into the input doesn't reconnect the chat. Unlike an objec ### Removing unnecessary function dependencies {/*removing-unnecessary-function-dependencies*/} -If your Effect depends on an object or a function created during rendering, it might run too often. For example, this Effect re-connects after every render because the `createOptions` function is [different for every render:](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally) +If your Effect depends on an object or a function created during rendering, it might run too often. For example, this Effect re-connects after every commit because the `createOptions` function is [different for every render:](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally) ```js {4-9,12,16} function ChatRoom({ roomId }) { @@ -1601,11 +1601,11 @@ function ChatRoom({ roomId }) { const connection = createConnection(); connection.connect(); return () => connection.disconnect(); - }, [createOptions]); // 🚩 As a result, these dependencies are always different on a re-render + }, [createOptions]); // 🚩 As a result, these dependencies are always different on a commit // ... ``` -By itself, creating a function from scratch on every re-render is not a problem. You don't need to optimize that. However, if you use it as a dependency of your Effect, it will cause your Effect to re-run after every re-render. +By itself, creating a function from scratch on every re-render is not a problem. You don't need to optimize that. However, if you use it as a dependency of your Effect, it will cause your Effect to re-run after every commit. Avoid using a function created during rendering as a dependency. Instead, declare it inside the Effect: @@ -1775,7 +1775,7 @@ First, check that you haven't forgotten to specify the dependency array: ```js {3} useEffect(() => { // ... -}); // 🚩 No dependency array: re-runs after every render! +}); // 🚩 No dependency array: re-runs after every commit! ``` If you've specified the dependency array but your Effect still re-runs in a loop, it's because one of your dependencies is different on every re-render. diff --git a/src/content/reference/react/useLayoutEffect.md b/src/content/reference/react/useLayoutEffect.md index 5ae152b67..24b360404 100644 --- a/src/content/reference/react/useLayoutEffect.md +++ b/src/content/reference/react/useLayoutEffect.md @@ -47,9 +47,9 @@ function Tooltip() { #### Parameters {/*parameters*/} -* `setup`: The function with your Effect's logic. Your setup function may also optionally return a *cleanup* function. Before your component is added to the DOM, React will run your setup function. After every re-render with changed dependencies, React will first run the cleanup function (if you provided it) with the old values, and then run your setup function with the new values. Before your component is removed from the DOM, React will run your cleanup function. +* `setup`: The function with your Effect's logic. Your setup function may also optionally return a *cleanup* function. Before your [component commits](/learn/render-and-commit#step-3-react-commits-changes-to-the-dom), React will run your setup function. After every commit with changed dependencies, React will first run the cleanup function (if you provided it) with the old values, and then run your setup function with the new values. Before your component is removed from the DOM, React will run your cleanup function. -* **optional** `dependencies`: The list of all reactive values referenced inside of the `setup` code. Reactive values include props, state, and all the variables and functions declared directly inside your component body. If your linter is [configured for React](/learn/editor-setup#linting), it will verify that every reactive value is correctly specified as a dependency. The list of dependencies must have a constant number of items and be written inline like `[dep1, dep2, dep3]`. React will compare each dependency with its previous value using the [`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) comparison. If you omit this argument, your Effect will re-run after every re-render of the component. +* **optional** `dependencies`: The list of all reactive values referenced inside of the `setup` code. Reactive values include props, state, and all the variables and functions declared directly inside your component body. If your linter is [configured for React](/learn/editor-setup#linting), it will verify that every reactive value is correctly specified as a dependency. The list of dependencies must have a constant number of items and be written inline like `[dep1, dep2, dep3]`. React will compare each dependency with its previous value using the [`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) comparison. If you omit this argument, your Effect will re-run after every commit of the component. #### Returns {/*returns*/} From 2a0fed01500bd6e7f4214824b414729918a74c20 Mon Sep 17 00:00:00 2001 From: Ricky Date: Thu, 11 Dec 2025 15:12:39 -0500 Subject: [PATCH 02/10] 12/11 blog post (#8193) --- ...ulnerability-in-react-server-components.md | 18 +- ...ode-exposure-in-react-server-components.md | 165 ++++++++++++++++++ src/content/blog/index.md | 6 + src/content/versions.md | 3 + src/sidebarBlog.json | 9 +- 5 files changed, 199 insertions(+), 2 deletions(-) create mode 100644 src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md index 90a549bc2..3fe7c0bd2 100644 --- a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md +++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md @@ -42,7 +42,7 @@ If your app’s React code does not use a server, your app is not affected by th Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). -We will update this post with upgrade instructions on how to upgrade as they become available. +See the [update instructions below](#update-instructions) for how to upgrade to these patches. ### Hosting Provider Mitigations {/*hosting-provider-mitigations*/} @@ -156,6 +156,22 @@ Update to the latest version: npm install react@latest react-dom@latest react-server-dom-webpack@latest ``` + +### React Native {/*react-native*/} + +For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. + +If you are using React Native in a monorepo, you should update _only_ the impacted packages if they are installed: + +- `react-server-dom-webpack` +- `react-server-dom-parcel` +- `react-server-dom-turbopack` + +This is required to mitigate the security advisory, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. + +See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) for more information. + + ## Timeline {/*timeline*/} * **November 29th**: Lachlan Davidson reported the security vulnerability via [Meta Bug Bounty](https://bugbounty.meta.com/). diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md new file mode 100644 index 000000000..e1360226f --- /dev/null +++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md @@ -0,0 +1,165 @@ +--- +title: "Denial of Service and Source Code Exposure in React Server Components" +author: The React Team +date: 2025/12/11 +description: Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. High vulnerability Denial of Service (CVE-2025-55184), and medium vulnerability Source Code Exposure (CVE-2025-55183) + + +--- + +December 11, 2025 by [The React Team](/community/team) + +--- + + + +Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. + +**These new vulnerabilities do not allow for Remote Code Execution.** The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit. + + + +--- + +The new vulnerabilities are disclosed as: + +- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5) +- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) + +These issues are present in the patches published last week. + +We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities. + + + + +#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/} + +When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed. + +This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix. + +Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle. + + + +Further details of these vulnerabilities will be provided after the rollout of the fixes are complete. + +## Immediate Action Required {/*immediate-action-required*/} + +These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](http://localhost:3000/blog/2025/12/03/critical-security-vulnerability-in-react-server-components). + +This includes versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of: + +* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) +* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) +* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) + +Fixes were backported to versions 19.0.2, 19.1.3, and 19.2.2. If you are using any of the above packages please upgrade to any of the fixed versions immediately. + +As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. + + + +#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/} + +If you already updated for the Critical Security Vulnerability, you will need to update again. + + + +### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/} + +Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vite/rsc-plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). + +Please see [the instructions in the previous post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps. + +### Hosting Provider Mitigations {/*hosting-provider-mitigations*/} + +As before, we have worked with a number of hosting providers to apply temporary mitigations. + +You should not depend on these to secure your app, and still update immediately. + +### React Native {/*react-native*/} + +For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. + +If you are using React Native in a monorepo, you should update _only_ the impacted packages if they are installed: + +- `react-server-dom-webpack` +- `react-server-dom-parcel` +- `react-server-dom-turbopack` + +This is required to mitigate the security advisories, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. + +See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) for more information. + +## High Severity: Denial of Service {/*high-severity-denial-of-service*/} + +**CVE:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) +**Base Score:** 7.5 (High) + +Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. + +This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment. + +The patches published today mitigate by preventing the infinite loop. + + +## Medium Severity: Source Code Exposure {/*low-severity-source-code-exposure*/} + +**CVE:** [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) +**Base Score**: 5.3 (Medium) + +A security researcher has discovered that a malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument: + +```javascript +'use server'; + +export async function serverFunction(name) { + const conn = db.createConnection('SECRET KEY'); + const user = await conn.createUser(name); // implicitly stringified, leaked in db + + return { + id: user.id, + message: `Hello, ${name}!` // explicitly stringified, leaked in reply + }} +``` + +An attacker may be able to leak the following: + +```txt +0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"} +1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"} +``` + +The patches published today prevent stringifying the Server Function source code. + + + +#### Only secrets in source code may be exposed. {/*only-secrets-in-source-code-may-be-exposed*/} + +Secrets hardcoded in source code may be exposed, but runtime secrets such as `process.env.SECRET` are not affected. + +The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides. + +Always verify against production bundles. + + + +--- + +## Timeline {/*timeline*/} +* **December 3rd**: Leak reported to Vercel and [Meta Bug Bounty](https://bugbounty.meta.com/) by [Andrew MacPherson](https://github.com/AndrewMohawk). +* **December 4th**: Initial DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by [RyotaK](https://ryotak.net). +* **December 6th**: Both issues confirmed by the React team, and the team began investigating. +* **December 7th**: Initial fixes created and the React team began verifying and planning new patch. +* **December 8th**: Affected hosting providers and open source projects notified. +* **December 10th**: Hosting provider mitigations in place and patches verified. +* **December 11th**: Additional DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) and added to patch. +* **December 11th**: Patches published and publicly disclosed as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) and [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184). + +--- + +## Attribution {/*attribution*/} + +Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc for reporting the initial Denial of Service vulnerability. diff --git a/src/content/blog/index.md b/src/content/blog/index.md index 5a2f1b7f1..30c4a3ffe 100644 --- a/src/content/blog/index.md +++ b/src/content/blog/index.md @@ -12,6 +12,12 @@ You can also follow the [@react.dev](https://bsky.app/profile/react.dev) account
+ + +Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability... + + + There is an unauthenticated remote code execution vulnerability in React Server Components. A fix has been published in versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately. diff --git a/src/content/versions.md b/src/content/versions.md index 5b3cb2cd9..62be00cc3 100644 --- a/src/content/versions.md +++ b/src/content/versions.md @@ -54,11 +54,14 @@ For versions older than React 15, see [15.react.dev](https://15.react.dev). - [React 19 Deep Dive: Coordinating HTML](https://www.youtube.com/watch?v=IBBN-s77YSI) **Releases** +- [v19.2.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1922-dec-11-2025) - [v19.2.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1921-dec-3-2025) - [v19.2.0 (October, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1920-october-1st-2025) +- [v19.1.3 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1913-dec-11-2025) - [v19.1.2 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1912-dec-3-2025) - [v19.1.1 (July, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1911-july-28-2025) - [v19.1.0 (March, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1910-march-28-2025) +- [v19.0.2 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1902-dec-11-2025) - [v19.0.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1901-dec-3-2025) - [v19.0.0 (December, 2024)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1900-december-5-2024) diff --git a/src/sidebarBlog.json b/src/sidebarBlog.json index b048ba9ca..e5da90fe9 100644 --- a/src/sidebarBlog.json +++ b/src/sidebarBlog.json @@ -11,11 +11,18 @@ "path": "/blog", "skipBreadcrumb": true, "routes": [ + { + "title": "Denial of Service and Source Code Exposure in React Server Components", + "titleForHomepage": "Additional Vulnerabilities in RSC", + "icon": "blog", + "date": "December 11, 2025", + "path": "/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components" + }, { "title": "Critical Security Vulnerability in React Server Components", "titleForHomepage": "Vulnerability in React Server Components", "icon": "blog", - "date": "December 03, 2025", + "date": "December 3, 2025", "path": "/blog/2025/12/03/critical-security-vulnerability-in-react-server-components" }, { From 1a955f0323af1beda3123dfe9cec86b9c3c82c45 Mon Sep 17 00:00:00 2001 From: Ricky Date: Thu, 11 Dec 2025 16:18:58 -0500 Subject: [PATCH 03/10] rm localhost link (#8194) --- ...rvice-and-source-code-exposure-in-react-server-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md index e1360226f..ed491cddc 100644 --- a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md +++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md @@ -47,7 +47,7 @@ Further details of these vulnerabilities will be provided after the rollout of t ## Immediate Action Required {/*immediate-action-required*/} -These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](http://localhost:3000/blog/2025/12/03/critical-security-vulnerability-in-react-server-components). +These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components). This includes versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of: From 72f8998872ab958924a0ff1fda818fae48d5b031 Mon Sep 17 00:00:00 2001 From: Ricky Date: Thu, 11 Dec 2025 17:15:41 -0500 Subject: [PATCH 04/10] Update instructions (#8195) --- ...ulnerability-in-react-server-components.md | 31 +++++++++++++------ ...ode-exposure-in-react-server-components.md | 19 ++++++------ 2 files changed, 31 insertions(+), 19 deletions(-) diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md index 3fe7c0bd2..d47730ecd 100644 --- a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md +++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md @@ -58,27 +58,40 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F ## Update Instructions {/*update-instructions*/} + + +These instructions have been updated to include the new vulnerabilities: + + +- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5) +- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) + +See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info. + + + ### Next.js {/*update-next-js*/} All users should upgrade to the latest patched version in their release line: ```bash -npm install next@15.0.5 // for 15.0.x -npm install next@15.1.9 // for 15.1.x -npm install next@15.2.6 // for 15.2.x -npm install next@15.3.6 // for 15.3.x -npm install next@15.4.8 // for 15.4.x -npm install next@15.5.7 // for 15.5.x -npm install next@16.0.7 // for 16.0.x +npm install next@14.2.34 // for 14.x +npm install next@15.0.6 // for 15.0.x +npm install next@15.1.10 // for 15.1.x +npm install next@15.2.7 // for 15.2.x +npm install next@15.3.7 // for 15.3.x +npm install next@15.4.9 // for 15.4.x +npm install next@15.5.8 // for 15.5.x +npm install next@16.0.9 // for 16.0.x ``` -If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release: +If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release: ```bash npm install next@14 ``` -See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info. +See the [Next.js blog](https://nextjs.org/blog/security-update-2025-12-11) for the latest update instructions and the [previous changelog](https://nextjs.org/blog/CVE-2025-66478) for more info. ### React Router {/*update-react-router*/} diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md index ed491cddc..54e4a8760 100644 --- a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md +++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md @@ -26,20 +26,15 @@ The new vulnerabilities are disclosed as: - **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5) - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) -These issues are present in the patches published last week. - We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities. - -#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/} - -When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed. +#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/} -This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix. +If you already updated for the Critical Security Vulnerability, you will need to update again. -Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle. +Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps. @@ -61,9 +56,13 @@ As before, if your app’s React code does not use a server, your app is not aff -#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/} +#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/} -If you already updated for the Critical Security Vulnerability, you will need to update again. +When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed. + +This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix. + +Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle. From e44d3b70a04e7ab23ccdc9cbd9d1dd8ece81cc0b Mon Sep 17 00:00:00 2001 From: Ricky Date: Thu, 11 Dec 2025 18:55:34 -0500 Subject: [PATCH 05/10] Add additional DoS CVE (#8196) --- ...ode-exposure-in-react-server-components.md | 30 ++++++++++++++----- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md index 54e4a8760..119317edc 100644 --- a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md +++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md @@ -23,16 +23,18 @@ Security researchers have found and disclosed two additional vulnerabilities in The new vulnerabilities are disclosed as: -- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5) +- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5) - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities. -#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/} +#### The patches published earlier are vulnerable. {/*the-patches-published-earlier-are-vulnerable*/} -If you already updated for the Critical Security Vulnerability, you will need to update again. +If you already updated for the Critical Security Vulnerability last week, you will need to update again. + +If you updated to 19.0.2, 19.1.3, and 19.2.2, [these are incomplete](#additional-fix-published) and you will need to update again. Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps. @@ -44,13 +46,13 @@ Further details of these vulnerabilities will be provided after the rollout of t These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components). -This includes versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of: +This includes versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of: * [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) * [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) * [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) -Fixes were backported to versions 19.0.2, 19.1.3, and 19.2.2. If you are using any of the above packages please upgrade to any of the fixed versions immediately. +Fixes were backported to versions 19.0.3, 19.1.4, and 19.2.3. If you are using any of the above packages please upgrade to any of the fixed versions immediately. As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. @@ -94,7 +96,7 @@ See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomm ## High Severity: Denial of Service {/*high-severity-denial-of-service*/} -**CVE:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) +**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) **Base Score:** 7.5 (High) Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. @@ -103,6 +105,17 @@ This creates a vulnerability vector where an attacker may be able to deny users The patches published today mitigate by preventing the infinite loop. + + +#### Additional fix published {/*additional-fix-published*/} + +The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete. + +This left versions 19.0.2, 19.1.3, 19.2.2 vulnerable. Versions 19.0.3, 19.1.4, 19.2.3 are safe. + +We've fixed the additional cases and filed [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) for the vulnerable versions. + + ## Medium Severity: Source Code Exposure {/*low-severity-source-code-exposure*/} @@ -154,11 +167,12 @@ Always verify against production bundles. * **December 7th**: Initial fixes created and the React team began verifying and planning new patch. * **December 8th**: Affected hosting providers and open source projects notified. * **December 10th**: Hosting provider mitigations in place and patches verified. -* **December 11th**: Additional DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) and added to patch. +* **December 11th**: Additional DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by Shinsaku Nomura. * **December 11th**: Patches published and publicly disclosed as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) and [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184). +* **December 11th**: Missing DoS case found internally, patched and publicly disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779). --- ## Attribution {/*attribution*/} -Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc for reporting the initial Denial of Service vulnerability. +Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities. From 9527378306f12e588c6f7db8499c96dc90cadf2b Mon Sep 17 00:00:00 2001 From: Ricky Date: Thu, 11 Dec 2025 19:18:26 -0500 Subject: [PATCH 06/10] update nextjs instructions (#8197) --- ...itical-security-vulnerability-in-react-server-components.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md index d47730ecd..aa6f8f1ad 100644 --- a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md +++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md @@ -62,10 +62,11 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F These instructions have been updated to include the new vulnerabilities: - - **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5) - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) +They also include the additional case found, patched, and disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779). + See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info. From 1e74023dd276f15530bf7c3e3bb4f7420291c8b0 Mon Sep 17 00:00:00 2001 From: Matt Carroll <7158882+mattcarrollcode@users.noreply.github.com> Date: Thu, 11 Dec 2025 17:01:10 -0800 Subject: [PATCH 07/10] [Blog] Update safe Next.js versions (#8199) --- ...ulnerability-in-react-server-components.md | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md index aa6f8f1ad..ffef6119d 100644 --- a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md +++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md @@ -20,9 +20,9 @@ We recommend upgrading immediately. --- -On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. +On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. -Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. +Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. This vulnerability was disclosed as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) and is rated CVSS 10.0. @@ -40,7 +40,7 @@ If your app’s React code does not use a server, your app is not affected by th ### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/} -Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). +Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). See the [update instructions below](#update-instructions) for how to upgrade to these patches. @@ -76,16 +76,21 @@ See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code All users should upgrade to the latest patched version in their release line: ```bash -npm install next@14.2.34 // for 14.x -npm install next@15.0.6 // for 15.0.x -npm install next@15.1.10 // for 15.1.x -npm install next@15.2.7 // for 15.2.x -npm install next@15.3.7 // for 15.3.x -npm install next@15.4.9 // for 15.4.x -npm install next@15.5.8 // for 15.5.x -npm install next@16.0.9 // for 16.0.x +npm install next@14.2.35 // for 13.3.x, 13.4.x, 13.5.x, 14.x +npm install next@15.0.7 // for 15.0.x +npm install next@15.1.11 // for 15.1.x +npm install next@15.2.8 // for 15.2.x +npm install next@15.3.8 // for 15.3.x +npm install next@15.4.10 // for 15.4.x +npm install next@15.5.9 // for 15.5.x +npm install next@16.0.10 // for 16.0.x + +npm install next@15.6.0-canary.60 // for 15.x canary releases +npm install next@16.1.0-canary.19 // for 16.x canary releases ``` +If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) please upgrade to version `14.2.35`. + If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release: ```bash From 2da4f7fbd90ddc09835c9f85d61fd5644a271abc Mon Sep 17 00:00:00 2001 From: Matt Carroll <7158882+mattcarrollcode@users.noreply.github.com> Date: Thu, 11 Dec 2025 17:06:56 -0800 Subject: [PATCH 08/10] Update to Next.js 15.1.11 (#8200) --- package.json | 2 +- yarn.lock | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/package.json b/package.json index 657be8877..55fcc0a5b 100644 --- a/package.json +++ b/package.json @@ -35,7 +35,7 @@ "classnames": "^2.2.6", "debounce": "^1.2.1", "github-slugger": "^1.3.0", - "next": "15.1.9", + "next": "15.1.11", "next-remote-watch": "^1.0.0", "parse-numeric-range": "^1.2.0", "react": "^19.0.0", diff --git a/yarn.lock b/yarn.lock index a07b2f280..a1ce77d11 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1225,10 +1225,10 @@ unist-util-visit "^4.0.0" vfile "^5.0.0" -"@next/env@15.1.9": - version "15.1.9" - resolved "https://registry.yarnpkg.com/@next/env/-/env-15.1.9.tgz#3569b6dd6a9b0af998fc6e4902da6b9ed2fc36c9" - integrity sha512-Te1wbiJ//I40T7UePOUG8QBwh+VVMCc0OTuqesOcD3849TVOVOyX4Hdrkx7wcpLpy/LOABIcGyLX5P/SzzXhFA== +"@next/env@15.1.11": + version "15.1.11" + resolved "https://registry.yarnpkg.com/@next/env/-/env-15.1.11.tgz#599a126f7ce56decc39cea46668cb60d96b66bc6" + integrity sha512-yp++FVldfLglEG5LoS2rXhGypPyoSOyY0kxZQJ2vnlYJeP8o318t5DrDu5Tqzr03qAhDWllAID/kOCsXNLcwKw== "@next/eslint-plugin-next@12.0.3": version "12.0.3" @@ -5797,12 +5797,12 @@ next-tick@^1.1.0: resolved "https://registry.npmjs.org/next-tick/-/next-tick-1.1.0.tgz" integrity sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ== -next@15.1.9: - version "15.1.9" - resolved "https://registry.yarnpkg.com/next/-/next-15.1.9.tgz#eaab46d7a57c881fadf748d8ba2a8c65ec27ad8f" - integrity sha512-OoQpDPV2i3o5Hnn46nz2x6fzdFxFO+JsU4ZES12z65/feMjPHKKHLDVQ2NuEvTaXTRisix/G5+6hyTkwK329kA== +next@15.1.11: + version "15.1.11" + resolved "https://registry.yarnpkg.com/next/-/next-15.1.11.tgz#8a70a236e02d8dd62fb0569bedfd5e4290e7af55" + integrity sha512-UiVJaOGhKST58AadwbFUZThlNBmYhKqaCs8bVtm4plTxsgKq0mJ0zTsp7t7j/rzsbAEj9WcAMdZCztjByi4EoQ== dependencies: - "@next/env" "15.1.9" + "@next/env" "15.1.11" "@swc/counter" "0.1.3" "@swc/helpers" "0.5.15" busboy "1.6.0" From e72a4d2caa9f03091ef823cdf988a538800ccdcd Mon Sep 17 00:00:00 2001 From: Soichiro Miki Date: Mon, 15 Dec 2025 13:57:43 +0900 Subject: [PATCH 09/10] Resolve conflicts --- ...ulnerability-in-react-server-components.md | 48 ++++---------- src/content/blog/index.md | 8 +-- src/content/reference/react/useEffect.md | 62 +++---------------- .../reference/react/useLayoutEffect.md | 10 +-- src/sidebarBlog.json | 9 +-- 5 files changed, 28 insertions(+), 109 deletions(-) diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md index 80d7dc059..eb20b3984 100644 --- a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md +++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md @@ -20,15 +20,9 @@ React Server Components に、認蚌䞍芁のリモヌトコヌド実行の脆 --- -<<<<<<< HEAD 11 月 29 日、Lachlan Davidson 氏が React のセキュリティ脆匱性を報告したした。これは、React Server Function の゚ンドポむントに送信されたペむロヌドを React がデコヌドする際の欠陥を悪甚するこずで、未認蚌状態でのリモヌトコヌド実行を可胜にするものです。 アプリが React のサヌバ関数 (Server Function) の゚ンドポむントを実装しおいない堎合でも、React Server Components をサポヌトしおいる堎合は脆匱性の圱響を受ける可胜性がありたす。 -======= -On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. - -Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc この脆匱性は [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) ずしお公開されおおり、CVSS スコアは 10.0 です。 @@ -46,15 +40,9 @@ Even if your app does not implement any React Server Function endpoints it may s ### 圱響を受けるフレヌムワヌクずバンドラ {/*affected-frameworks-and-bundlers*/} -<<<<<<< HEAD 䞀郚の React フレヌムワヌクやバンドラが、脆匱性のある React パッケヌゞに䟝存しおいるか、peer dependency ずしお䟝存しおいるか、あるいはそれらを含んでいたした。圱響を受ける React フレヌムワヌクやバンドラは以䞋の通りです[next](https://www.npmjs.com/package/next)、[react-router](https://www.npmjs.com/package/react-router)、[waku](https://www.npmjs.com/package/waku)、[@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc)、[@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc)、[rwsdk](https://www.npmjs.com/package/rwsdk) -アップグレヌド方法に関する指瀺が利甚可胜になり次第、この蚘事を曎新したす。 -======= -Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). - -See the [update instructions below](#update-instructions) for how to upgrade to these patches. ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +アップグレヌド方法に぀いお、[以䞋の曎新手順](#update-instructions)を参照しおください。 ### ホスティングプロバむダによる緩和策 {/*hosting-provider-mitigations*/} @@ -72,14 +60,14 @@ See the [update instructions below](#update-instructions) for how to upgrade to -These instructions have been updated to include the new vulnerabilities: +以䞋のガむドは新たに発芋された以䞋の脆匱性にも察応するよう曎新枈みです。 - **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5) - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) -They also include the additional case found, patched, and disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779). +たた新たに発芋され [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) で報告・修正枈みの問題にも察応しおいたす。 -See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info. +詳现に぀いおは[フォロヌアップブログ蚘事](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)を参照しおください。 @@ -101,23 +89,15 @@ npm install next@15.6.0-canary.60 // for 15.x canary releases npm install next@16.1.0-canary.19 // for 16.x canary releases ``` -<<<<<<< HEAD -Next.js 14.3.0-canary.77 たたはそれ以降の canary リリヌスを䜿甚しおいる堎合は、最新の安定版 14.x リリヌスにダりングレヌドしおください。 -======= -If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) please upgrade to version `14.2.35`. +Next.js 13 のバヌゞョン `13.3` 以降 (`13.3.x`、`13.4.x`、`13.5.x`) を䜿甚しおいる堎合は、バヌゞョン `14.2.35` にアップグレヌドしおください。 -If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release: ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +`next@14.3.0-canary.77` たたはそれ以降の canary リリヌスを䜿甚しおいる堎合は、最新の安定版 14.x リリヌスにダりングレヌドしおください。 ```bash npm install next@14 ``` -<<<<<<< HEAD -詳现は [Next.js の倉曎履歎](https://nextjs.org/blog/CVE-2025-66478) を参照しおください。 -======= -See the [Next.js blog](https://nextjs.org/blog/security-update-2025-12-11) for the latest update instructions and the [previous changelog](https://nextjs.org/blog/CVE-2025-66478) for more info. ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +最新の曎新手順に぀いおは [Next.js ブログ](https://nextjs.org/blog/security-update-2025-12-11)を、詳现に぀いおは[前回の倉曎履歎](https://nextjs.org/blog/CVE-2025-66478)を参照しおください。 ### React Router {/*update-react-router*/} @@ -195,27 +175,23 @@ npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest npm install react@latest react-dom@latest react-server-dom-webpack@latest ``` -<<<<<<< HEAD -## タむムラむン {/*timeline*/} -======= ### React Native {/*react-native*/} -For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. +モノレポや `react-dom` を䜿甚しおいない React Native ナヌザの堎合、`react` バヌゞョンは `package.json` で固定されおいるはずですので、远加の手順は必芁ありたせん。 -If you are using React Native in a monorepo, you should update _only_ the impacted packages if they are installed: +モノレポで React Native を䜿甚しおいる堎合は、以䞋のパッケヌゞがむンストヌルされおいる堎合に*それらのみ*を曎新しおください。 - `react-server-dom-webpack` - `react-server-dom-parcel` - `react-server-dom-turbopack` -This is required to mitigate the security advisory, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. +これはセキュリティ䞊の問題を緩和するために必芁ですが、`react` および `react-dom` を曎新する必芁はなく、そのため React Native でのバヌゞョン䞍䞀臎゚ラヌが発生するこずはありたせん。 -See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) for more information. +詳现に぀いおは[この issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) を参照しおください。 -## Timeline {/*timeline*/} ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +## タむムラむン {/*timeline*/} * **11 月 29 日**: Lachlan Davidson 氏が [Meta Bug Bounty](https://bugbounty.meta.com/) を通じお脆匱性を報告。 * **11 月 30 日**: Meta のセキュリティ研究者が確認し、React チヌムず協力しお修正䜜業を開始。 diff --git a/src/content/blog/index.md b/src/content/blog/index.md index 87762f753..e931da54a 100644 --- a/src/content/blog/index.md +++ b/src/content/blog/index.md @@ -16,17 +16,13 @@ Bluesky の [@react.dev](https://bsky.app/profile/react.dev) や Twitter の [@r
-<<<<<<< HEAD - -======= -Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability... +Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week's critical vulnerability... - ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc + React Server Components に、認蚌䞍芁のリモヌトコヌド実行の脆匱性が存圚したす。バヌゞョン 19.0.1、19.1.2、19.2.1 で修正が公開されたした。盎ちにアップグレヌドするこずを掚奚したす。 diff --git a/src/content/reference/react/useEffect.md b/src/content/reference/react/useEffect.md index f6b4ed57a..d7c9f429f 100644 --- a/src/content/reference/react/useEffect.md +++ b/src/content/reference/react/useEffect.md @@ -44,15 +44,9 @@ function ChatRoom({ roomId }) { #### 匕数 {/*parameters*/} -<<<<<<< HEAD -* `setup`: ゚フェクトのロゞックが蚘述された関数です。このセットアップ関数は、オプションで*クリヌンアップ*関数を返すこずができたす。コンポヌネントが初めお DOM に远加されるず、React はセットアップ関数を実行したす。䟝存配列 (dependencies) が倉曎された再レンダヌ時には、React はたず叀い倀を䜿っおクリヌンアップ関数あればを実行し、次に新しい倀を䜿っおセットアップ関数を実行したす。コンポヌネントが DOM から削陀された埌、React はクリヌンアップ関数を最埌にもう䞀床実行したす。 +* `setup`: ゚フェクトのロゞックが蚘述された関数です。このセットアップ関数は、オプションで*クリヌンアップ*関数を返すこずができたす。[コンポヌネントがコミットされる](/learn/render-and-commit#step-3-react-commits-changes-to-the-dom)ず、React はセットアップ関数を実行したす。䟝存配列 (dependencies) が倉曎された次のコミット時には、React はたず叀い倀を䜿っおクリヌンアップ関数あればを実行し、次に新しい倀を䜿っおセットアップ関数を実行したす。コンポヌネントが DOM から削陀された埌、React はクリヌンアップ関数を最埌にもう䞀床実行したす。 -* **省略可胜** `dependencies`: `setup` コヌド内で参照されるすべおのリアクティブな倀のリストです。リアクティブな倀には、props、state、コンポヌネント本䜓に盎接宣蚀されたすべおの倉数および関数が含たれたす。リンタが [React 甚に蚭定されおいる堎合](/learn/editor-setup#linting)、すべおのリアクティブな倀が䟝存倀ずしお正しく指定されおいるか確認できたす。䟝存倀のリストは芁玠数が䞀定である必芁があり、`[dep1, dep2, dep3]` のようにむンラむンで蚘述する必芁がありたす。React は、[`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) を䜿った比范で、それぞれの䟝存倀を以前の倀ず比范したす。この匕数を省略するず、゚フェクトはコンポヌネントの毎回のレンダヌ埌に再実行されたす。[䟝存倀の配列を枡す堎合ず空の配列を枡す堎合、および䜕も枡さない堎合の違い](#examples-dependencies)を確認しおください。 -======= -* `setup`: The function with your Effect's logic. Your setup function may also optionally return a *cleanup* function. When your [component commits](/learn/render-and-commit#step-3-react-commits-changes-to-the-dom), React will run your setup function. After every commit with changed dependencies, React will first run the cleanup function (if you provided it) with the old values, and then run your setup function with the new values. After your component is removed from the DOM, React will run your cleanup function. - -* **optional** `dependencies`: The list of all reactive values referenced inside of the `setup` code. Reactive values include props, state, and all the variables and functions declared directly inside your component body. If your linter is [configured for React](/learn/editor-setup#linting), it will verify that every reactive value is correctly specified as a dependency. The list of dependencies must have a constant number of items and be written inline like `[dep1, dep2, dep3]`. React will compare each dependency with its previous value using the [`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) comparison. If you omit this argument, your Effect will re-run after every commit of the component. [See the difference between passing an array of dependencies, an empty array, and no dependencies at all.](#examples-dependencies) ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +* **省略可胜** `dependencies`: `setup` コヌド内で参照されるすべおのリアクティブな倀のリストです。リアクティブな倀には、props、state、コンポヌネント本䜓に盎接宣蚀されたすべおの倉数および関数が含たれたす。リンタが [React 甚に蚭定されおいる堎合](/learn/editor-setup#linting)、すべおのリアクティブな倀が䟝存倀ずしお正しく指定されおいるか確認できたす。䟝存倀のリストは芁玠数が䞀定である必芁があり、`[dep1, dep2, dep3]` のようにむンラむンで蚘述する必芁がありたす。React は、[`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) を䜿った比范で、それぞれの䟝存倀を以前の倀ず比范したす。この匕数を省略するず、゚フェクトはコンポヌネントの毎回のコミット埌に再実行されたす。[䟝存倀の配列を枡す堎合ず空の配列を枡す堎合、および䜕も枡さない堎合の違い](#examples-dependencies)を確認しおください。 #### 返り倀 {/*returns*/} @@ -112,27 +106,15 @@ function ChatRoom({ roomId }) { **React は必芁に応じおセットアップ関数ずクリヌンアップ関数を呌び出し、これは耇数回行われるこずがありたす。** -<<<<<<< HEAD 1. コンポヌネントがペヌゞに远加*マりント*されるず、セットアップコヌドが実行されたす。 -2. 䟝存倀が倉曎された䞊でコンポヌネントが再レンダヌされる床に +2. 䟝存倀が倉曎された䞊でコンポヌネントがコミットされる床に - たず、叀い props ず state でクリヌンアップコヌドが実行されたす。 - 次に、新しい props ず state でセットアップコヌドが実行されたす。 3. コンポヌネントがペヌゞから削陀*アンマりント*されるず、最埌にクリヌンアップコヌドが実行されたす。 -======= -1. Your setup code runs when your component is added to the page *(mounts)*. -2. After every commit of your component where the dependencies have changed: - - First, your cleanup code runs with the old props and state. - - Then, your setup code runs with the new props and state. -3. Your cleanup code runs one final time after your component is removed from the page *(unmounts).* ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc **䞊蚘の䟋でこのシヌケンスを説明したしょう。** -<<<<<<< HEAD -䞊蚘の `ChatRoom` コンポヌネントがペヌゞに远加されるず、`serverUrl` ず `roomId` の初期倀を䜿っおチャットルヌムに接続したす。`serverUrl` たたは `roomId` が再レンダヌの結果ずしお倉曎される堎合䟋えば、ナヌザがドロップダりンで別のチャットルヌムを遞択した堎合、あなたの゚フェクトは*以前のルヌムから切断し、次のルヌムに接続したす*。`ChatRoom` コンポヌネントがペヌゞから削陀されるず、あなたの゚フェクトは最埌の切断を行いたす。 -======= -When the `ChatRoom` component above gets added to the page, it will connect to the chat room with the initial `serverUrl` and `roomId`. If either `serverUrl` or `roomId` change as a result of a commit (say, if the user picks a different chat room in a dropdown), your Effect will *disconnect from the previous room, and connect to the next one.* When the `ChatRoom` component is removed from the page, your Effect will disconnect one last time. ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +䞊蚘の `ChatRoom` コンポヌネントがペヌゞに远加されるず、`serverUrl` ず `roomId` の初期倀を䜿っおチャットルヌムに接続したす。`serverUrl` たたは `roomId` がコミットの結果ずしお倉曎される堎合䟋えば、ナヌザがドロップダりンで別のチャットルヌムを遞択した堎合、あなたの゚フェクトは*以前のルヌムから切断し、次のルヌムに接続したす*。`ChatRoom` コンポヌネントがペヌゞから削陀されるず、あなたの゚フェクトは最埌の切断を行いたす。 **[バグを芋぀け出すために](/learn/synchronizing-with-effects#step-3-add-cleanup-if-needed)、開発䞭には React はセットアップずクリヌンアップを、セットアップの前に 1 回䜙分に実行したす**。これは、゚フェクトのロゞックが正しく実装されおいるこずを確認するストレステストです。これが目に芋える問題を匕き起こす堎合、クリヌンアップ関数に䞀郚のロゞックが欠けおいたす。クリヌンアップ関数は、セットアップ関数が行っおいたこずを停止ないし元に戻す必芁がありたす。基本ルヌルずしお、ナヌザはセットアップが䞀床しか呌ばれおいない本番環境の堎合か、*セットアップ* → *クリヌンアップ* → *セットアップ*のシヌケンス開発環境の堎合で呌ばれおいるかを区別できないようにする必芁がありたす。[䞀般的な解決法を参照しおください](/learn/synchronizing-with-effects#how-to-handle-the-effect-firing-twice-in-development)。 @@ -1163,11 +1145,7 @@ useEffect(() => { #### 䟝存配列を枡す {/*passing-a-dependency-array*/} -<<<<<<< HEAD -䟝存配列を指定するず、゚フェクトは**最初のレンダヌ埌*および*䟝存配列が倉わった埌の再レンダヌ埌に実行されたす。** -======= -If you specify the dependencies, your Effect runs **after the initial commit _and_ after commits with changed dependencies.** ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +䟝存配列を指定するず、゚フェクトは**最初のコミット埌*および*䟝存配列が倉わった埌の再コミット埌に実行されたす。** ```js {3} useEffect(() => { @@ -1264,11 +1242,7 @@ button { margin-left: 5px; } #### 空の䟝存配列を枡す {/*passing-an-empty-dependency-array*/} -<<<<<<< HEAD -あなたの゚フェクトがリアクティブな倀を本圓に䜿っおいないのであれば、それは**初回のレンダヌ埌に**のみ実行されたす。 -======= -If your Effect truly doesn't use any reactive values, it will only run **after the initial commit.** ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +あなたの゚フェクトがリアクティブな倀を本圓に䜿っおいないのであれば、それは**初回のコミット埌に**のみ実行されたす。 ```js {3} useEffect(() => { @@ -1345,11 +1319,7 @@ export function createConnection(serverUrl, roomId) { #### 䟝存配列を枡さない {/*passing-no-dependency-array-at-all*/} -<<<<<<< HEAD -䟝存配列自䜓をたったく枡さない堎合、コンポヌネントの**毎回のレンダヌ再レンダヌ埌に**゚フェクトが実行されたす。 -======= -If you pass no dependency array at all, your Effect runs **after every single commit** of your component. ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +䟝存配列自䜓をたったく枡さない堎合、コンポヌネントの**毎回のコミット埌に**゚フェクトが実行されたす。 ```js {3} useEffect(() => { @@ -1510,11 +1480,7 @@ body { ### オブゞェクト型の䞍芁な䟝存倀を削陀する {/*removing-unnecessary-object-dependencies*/} -<<<<<<< HEAD -゚フェクトがレンダヌ䞭に䜜成されたオブゞェクトや関数に䟝存しおいる堎合、必芁以䞊に゚フェクトが実行されおしたうこずがありたす。たずえば、この゚フェクトは `options` オブゞェクトが[レンダヌごずに異なる](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally)ため、毎回のレンダヌ埌に再接続を行っおしたいたす -======= -If your Effect depends on an object or a function created during rendering, it might run too often. For example, this Effect re-connects after every commit because the `options` object is [different for every render:](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally) ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +゚フェクトがレンダヌ䞭に䜜成されたオブゞェクトや関数に䟝存しおいる堎合、必芁以䞊に゚フェクトが実行されおしたうこずがありたす。たずえば、この゚フェクトは `options` オブゞェクトが[レンダヌごずに異なる](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally)ため、毎回のコミット埌に再接続を行っおしたいたす。 ```js {6-9,12,15} const serverUrl = 'https://localhost:1234'; @@ -1617,11 +1583,7 @@ button { margin-left: 10px; } ### 関数型の䞍芁な䟝存倀を削陀する {/*removing-unnecessary-function-dependencies*/} -<<<<<<< HEAD -゚フェクトがレンダヌ䞭に䜜成されたオブゞェクトや関数に䟝存しおいる堎合、必芁以䞊に゚フェクトが実行されおしたうこずがありたす。たずえば、この゚フェクトは `createOptions` 関数が[レンダヌごずに異なる](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally)ため、毎回再接続を行っおしたいたす -======= -If your Effect depends on an object or a function created during rendering, it might run too often. For example, this Effect re-connects after every commit because the `createOptions` function is [different for every render:](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally) ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +゚フェクトがレンダヌ䞭に䜜成されたオブゞェクトや関数に䟝存しおいる堎合、必芁以䞊に゚フェクトが実行されおしたうこずがありたす。たずえば、この゚フェクトは `createOptions` 関数が[レンダヌごずに異なる](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally)ため、毎回のコミット埌に再接続を行っおしたいたす。 ```js {4-9,12,16} function ChatRoom({ roomId }) { @@ -1643,11 +1605,7 @@ function ChatRoom({ roomId }) { // ... ``` -<<<<<<< HEAD -再レンダヌのたびに新しい関数を䜜成するこず、それ自䜓には問題はなく、最適化しようずする必芁はありたせん。ただし、゚フェクトの䟝存倀ずしおそれを䜿甚する堎合、毎回のレンダヌ埌に゚フェクトが再実行されおしたうこずになりたす。 -======= -By itself, creating a function from scratch on every re-render is not a problem. You don't need to optimize that. However, if you use it as a dependency of your Effect, it will cause your Effect to re-run after every commit. ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +再レンダヌのたびに新しい関数を䜜成するこず、それ自䜓には問題はなく、最適化しようずする必芁はありたせん。ただし、゚フェクトの䟝存倀ずしおそれを䜿甚する堎合、毎回のコミット埌に゚フェクトが再実行されおしたうこずになりたす。 レンダヌ䞭に䜜成された関数を䟝存倀ずしお䜿甚するこずは避けおください。代わりに、゚フェクトの内郚で宣蚀するようにしたす。 diff --git a/src/content/reference/react/useLayoutEffect.md b/src/content/reference/react/useLayoutEffect.md index 1a3e1888b..813a26abf 100644 --- a/src/content/reference/react/useLayoutEffect.md +++ b/src/content/reference/react/useLayoutEffect.md @@ -47,15 +47,9 @@ function Tooltip() { #### 匕数 {/*parameters*/} -<<<<<<< HEAD -* `setup`: ゚フェクトのロゞックが蚘述された関数です。このセットアップ関数は、オプションで*クリヌンアップ*関数を返すこずができたす。コンポヌネントが初めお DOM に远加されるず、React はセットアップ関数を実行したす。䟝存配列 (dependencies) が倉曎された再レンダヌ時には、React はたず叀い倀を䜿っおクリヌンアップ関数あればを実行し、次に新しい倀を䜿っおセットアップ関数を実行したす。コンポヌネントが DOM から削陀された埌、React はクリヌンアップ関数を最埌にもう䞀床実行したす。 +* `setup`: ゚フェクトのロゞックが蚘述された関数です。このセットアップ関数は、オプションで*クリヌンアップ*関数を返すこずができたす。[コンポヌネントがコミットされる](/learn/render-and-commit#step-3-react-commits-changes-to-the-dom)前に、React はセットアップ関数を実行したす。䟝存配列 (dependencies) が倉曎された次のコミット時には、React はたず叀い倀を䜿っおクリヌンアップ関数あればを実行し、次に新しい倀を䜿っおセットアップ関数を実行したす。コンポヌネントが DOM から削陀される前に、React はクリヌンアップ関数を実行したす。 -* **省略可胜** `dependencies`: `setup` コヌド内で参照されるすべおのリアクティブな倀のリストです。リアクティブな倀には、props、state、コンポヌネント本䜓に盎接宣蚀されたすべおの倉数および関数が含たれたす。リンタが [React 甚に蚭定されおいる堎合](/learn/editor-setup#linting)、すべおのリアクティブな倀が䟝存倀ずしお正しく指定されおいるか確認できたす。䟝存倀のリストは芁玠数が䞀定である必芁があり、`[dep1, dep2, dep3]` のようにむンラむンで蚘述する必芁がありたす。React は、[`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) を䜿った比范で、それぞれの䟝存倀を以前の倀ず比范したす。この匕数を省略するず、゚フェクトはコンポヌネントの毎回のレンダヌ埌に再実行されたす。 -======= -* `setup`: The function with your Effect's logic. Your setup function may also optionally return a *cleanup* function. Before your [component commits](/learn/render-and-commit#step-3-react-commits-changes-to-the-dom), React will run your setup function. After every commit with changed dependencies, React will first run the cleanup function (if you provided it) with the old values, and then run your setup function with the new values. Before your component is removed from the DOM, React will run your cleanup function. - -* **optional** `dependencies`: The list of all reactive values referenced inside of the `setup` code. Reactive values include props, state, and all the variables and functions declared directly inside your component body. If your linter is [configured for React](/learn/editor-setup#linting), it will verify that every reactive value is correctly specified as a dependency. The list of dependencies must have a constant number of items and be written inline like `[dep1, dep2, dep3]`. React will compare each dependency with its previous value using the [`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) comparison. If you omit this argument, your Effect will re-run after every commit of the component. ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc +* **省略可胜** `dependencies`: `setup` コヌド内で参照されるすべおのリアクティブな倀のリストです。リアクティブな倀には、props、state、コンポヌネント本䜓に盎接宣蚀されたすべおの倉数および関数が含たれたす。リンタが [React 甚に蚭定されおいる堎合](/learn/editor-setup#linting)、すべおのリアクティブな倀が䟝存倀ずしお正しく指定されおいるか確認できたす。䟝存倀のリストは芁玠数が䞀定である必芁があり、`[dep1, dep2, dep3]` のようにむンラむンで蚘述する必芁がありたす。React は、[`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is) を䜿った比范で、それぞれの䟝存倀を以前の倀ず比范したす。この匕数を省略するず、゚フェクトはコンポヌネントの毎回のコミット埌に再実行されたす。 #### 返り倀 {/*returns*/} diff --git a/src/sidebarBlog.json b/src/sidebarBlog.json index 41776d4f1..029e9bde6 100644 --- a/src/sidebarBlog.json +++ b/src/sidebarBlog.json @@ -12,10 +12,6 @@ "skipBreadcrumb": true, "routes": [ { -<<<<<<< HEAD - "title": "React Server Components における重倧なセキュリティ脆匱性", - "titleForHomepage": "React Server Components の脆匱性", -======= "title": "Denial of Service and Source Code Exposure in React Server Components", "titleForHomepage": "Additional Vulnerabilities in RSC", "icon": "blog", @@ -23,9 +19,8 @@ "path": "/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components" }, { - "title": "Critical Security Vulnerability in React Server Components", - "titleForHomepage": "Vulnerability in React Server Components", ->>>>>>> 2da4f7fbd90ddc09835c9f85d61fd5644a271abc + "title": "React Server Components における重倧なセキュリティ脆匱性", + "titleForHomepage": "React Server Components の脆匱性", "icon": "blog", "date": "December 3, 2025", "path": "/blog/2025/12/03/critical-security-vulnerability-in-react-server-components" From 603d790503e02942a763b3e4f20af68bb7e4887c Mon Sep 17 00:00:00 2001 From: Soichiro Miki Date: Mon, 15 Dec 2025 15:24:46 +0900 Subject: [PATCH 10/10] Translate additional vulnerability blog article --- ...ode-exposure-in-react-server-components.md | 122 +++++++++--------- src/content/blog/index.md | 4 +- src/sidebarBlog.json | 4 +- 3 files changed, 65 insertions(+), 65 deletions(-) diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md index 119317edc..a23f67a8d 100644 --- a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md +++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md @@ -1,8 +1,8 @@ --- -title: "Denial of Service and Source Code Exposure in React Server Components" +title: "React Server Components におけるサヌビス拒吊攻撃ず゜ヌスコヌド露出" author: The React Team date: 2025/12/11 -description: Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. High vulnerability Denial of Service (CVE-2025-55184), and medium vulnerability Source Code Exposure (CVE-2025-55183) +description: セキュリティ研究者が先週の重倧な脆匱性に察するパッチを怜蚌する過皋で、React Server Components における 2 ぀の脆匱性を远加で発芋し、開瀺したした。高深刻床のサヌビス拒吊攻撃 (CVE-2025-55184) ず、䞭皋床の深刻床の゜ヌスコヌド露出 (CVE-2025-55183) です。 --- @@ -13,116 +13,116 @@ December 11, 2025 by [The React Team](/community/team) -Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. +セキュリティ研究者が先週の重倧な脆匱性に察するパッチをテストする過皋で、React Server Components における 2 ぀の脆匱性を远加で発芋し、開瀺したした。 -**These new vulnerabilities do not allow for Remote Code Execution.** The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit. +**これらの新しい脆匱性はリモヌトコヌド実行を蚱すものではありたせん**。React2Shell に察するパッチはリモヌトコヌド実行の悪甚を防止するために匕き続き有効です。 --- -The new vulnerabilities are disclosed as: +新しい脆匱性は以䞋のように公開されおいたす。 - **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5) - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) -We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities. +新たに開瀺された脆匱性の深刻さを鑑み、盎ちにアップグレヌドするこずを掚奚したす。 -#### The patches published earlier are vulnerable. {/*the-patches-published-earlier-are-vulnerable*/} +#### 以前に公開されたパッチには脆匱性がありたす {/*the-patches-published-earlier-are-vulnerable*/} -If you already updated for the Critical Security Vulnerability last week, you will need to update again. +先週の重倧なセキュリティ脆匱性の察応のため既にアップデヌトを行っおいる堎合でも、再床アップデヌトが必芁です。 -If you updated to 19.0.2, 19.1.3, and 19.2.2, [these are incomplete](#additional-fix-published) and you will need to update again. +19.0.2、19.1.3、および 19.2.2 にアップデヌト枈みの堎合でも、[これらは䞍完党](#additional-fix-published)であり、再床アップデヌトする必芁がありたす。 -Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps. +アップグレヌド手順に぀いおは、[前回蚘事のガむド](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions)を参照しおください。 -Further details of these vulnerabilities will be provided after the rollout of the fixes are complete. +これらの脆匱性の詳现に぀いおは、修正のロヌルアりトが完了した埌に提䟛される予定です。 -## Immediate Action Required {/*immediate-action-required*/} +## 盎ちに察応を {/*immediate-action-required*/} -These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components). +これらの脆匱性は、[CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) ず同じパッケヌゞおよびバヌゞョンに存圚したす。 -This includes versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of: +以䞋のパッケヌゞのバヌゞョン 19.0.0、19.0.1、19.0.2、19.1.0、19.1.1、19.1.2、19.1.2、19.2.0、19.2.1、および 19.2.2 が該圓したす。 * [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) * [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) * [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) -Fixes were backported to versions 19.0.3, 19.1.4, and 19.2.3. If you are using any of the above packages please upgrade to any of the fixed versions immediately. +修正はバヌゞョン 19.0.3、19.1.4、および 19.2.3 にバックポヌトされおいたす。䞊蚘のパッケヌゞを䜿甚しおいる堎合は、盎ちに修正枈みバヌゞョンのいずれかにアップグレヌドしおください。 -As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. +以前ず同様、アプリの React コヌドがサヌバを䜿甚しおいない堎合、アプリはこれらの脆匱性の圱響を受けたせん。アプリが React Server Components をサポヌトするフレヌムワヌク、バンドラ、たたはバンドラプラグむンを䜿甚しおいない堎合、アプリはこれらの脆匱性の圱響を受けたせん。 -#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/} +#### 重倧な CVE の埌に別の脆匱性報告が続くこずはよくありたす {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/} -When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed. +重倧な脆匱性が開瀺されるず、研究者は隣接するコヌドパスを粟査し、初期の修正をバむパスする方法がないかテストし、類䌌の悪甚手段を芋぀けようずしたす。 -This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix. +これは JavaScript だけでなく、業界党䜓で芋られるパタヌンです。たずえば [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228) の埌にも、コミュニティがオリゞナルの修正を怜蚌する䞭で远加の CVE ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) が報告されたした。 -Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle. +開瀺が続くずフラストレヌションを感じるかもしれたせんが、䞀般的には健党な察応サむクルの兆候です。 -### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/} +### 圱響を受けるフレヌムワヌクずバンドラ {/*affected-frameworks-and-bundlers*/} -Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vite/rsc-plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). +䞀郚の React フレヌムワヌクやバンドラが、脆匱性のある React パッケヌゞに䟝存しおいるか、peer dependency ずしお䟝存しおいるか、あるいはそれらを含んでいたした。圱響を受ける React フレヌムワヌクやバンドラは以䞋の通りです[next](https://www.npmjs.com/package/next)、[react-router](https://www.npmjs.com/package/react-router)、[waku](https://www.npmjs.com/package/waku)、[@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc)、[@vite/rsc-plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc)、[rwsdk](https://www.npmjs.com/package/rwsdk) -Please see [the instructions in the previous post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps. +アップグレヌド方法に぀いお、[前回の蚘事の手順](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions)を参照しおください。 -### Hosting Provider Mitigations {/*hosting-provider-mitigations*/} +### ホスティングプロバむダによる緩和策 {/*hosting-provider-mitigations*/} -As before, we have worked with a number of hosting providers to apply temporary mitigations. +以前ず同様、我々は倚くのホスティングプロバむダず協力し、䞀時的な緩和策 (mitigation) を適甚しおいたす。 -You should not depend on these to secure your app, and still update immediately. +ただしアプリの保護のためにこれらに䟝存しないでください。匕き続き盎ちにアップデヌトを適甚するべきです。 ### React Native {/*react-native*/} -For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. +モノレポや `react-dom` を䜿甚しおいない React Native ナヌザの堎合、`react` バヌゞョンは `package.json` で固定されおいるはずですので、远加の手順は必芁ありたせん。 -If you are using React Native in a monorepo, you should update _only_ the impacted packages if they are installed: +モノレポで React Native を䜿甚しおいる堎合は、以䞋のパッケヌゞがむンストヌルされおいる堎合に*それらのみ*を曎新しおください。 - `react-server-dom-webpack` - `react-server-dom-parcel` - `react-server-dom-turbopack` -This is required to mitigate the security advisories, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. +これはセキュリティ䞊の問題を緩和するために必芁ですが、`react` および `react-dom` を曎新する必芁はなく、そのため React Native でのバヌゞョン䞍䞀臎゚ラヌが発生するこずはありたせん。 -See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) for more information. +詳现に぀いおは[この issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) を参照しおください。 -## High Severity: Denial of Service {/*high-severity-denial-of-service*/} +## 高深刻床サヌビス拒吊攻撃 {/*high-severity-denial-of-service*/} -**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) -**Base Score:** 7.5 (High) +**CVE**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) および [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) +**Base Score**: 7.5 (High) -Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. +セキュリティ研究者は、悪意のある HTTP リク゚ストを䜜成しお任意のサヌバ関数 (Server Function) ゚ンドポむントに察しお送信するこずで、React がそれをデシリアラむズする際に、サヌバプロセスをハングさせお CPU を消費する無限ルヌプを匕き起こすこずができるこずを発芋したした。アプリが React のサヌバ関数の゚ンドポむントを実装しおいない堎合でも、React Server Components をサポヌトしおいる堎合は脆匱性の圱響を受ける可胜性がありたす。 -This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment. +これにより、攻撃者がナヌザによる補品ぞのアクセスを䞍胜にし、サヌバ環境のパフォヌマンスに圱響を䞎えうる手段が生じたす。 -The patches published today mitigate by preventing the infinite loop. +本日公開されたパッチは、無限ルヌプを防ぐこずでこの問題を緩和したす。 -#### Additional fix published {/*additional-fix-published*/} +#### 远加の修正が公開されたした {/*additional-fix-published*/} -The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete. +[CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) における DoS に察凊する元の修正は䞍完党でした。 -This left versions 19.0.2, 19.1.3, 19.2.2 vulnerable. Versions 19.0.3, 19.1.4, 19.2.3 are safe. +これにより、バヌゞョン 19.0.2、19.1.3、19.2.2 が脆匱な状態のたたでした。バヌゞョン 19.0.3、19.1.4、19.2.3 は安党です。 -We've fixed the additional cases and filed [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) for the vulnerable versions. +我々は远加のケヌスを修正し、脆匱なバヌゞョンに察しお [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) を提出したした。 -## Medium Severity: Source Code Exposure {/*low-severity-source-code-exposure*/} +## 䞭深刻床゜ヌスコヌド露出 {/*low-severity-source-code-exposure*/} -**CVE:** [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) +**CVE**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) **Base Score**: 5.3 (Medium) -A security researcher has discovered that a malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument: +セキュリティ研究者は、脆匱なサヌバ関数に送信された悪意のある HTTP リク゚ストが、安党でない方法で任意のサヌバ関数の゜ヌスコヌドを返す可胜性があるこずを発芋したした。悪甚には、明瀺的たたは暗黙的に匕数の文字列化を行い露出するサヌバ関数の存圚が必芁です。 ```javascript 'use server'; @@ -137,42 +137,42 @@ export async function serverFunction(name) { }} ``` -An attacker may be able to leak the following: +攻撃者は以䞋のような情報を挏掩させる可胜性がありたす。 ```txt 0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"} 1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"} ``` -The patches published today prevent stringifying the Server Function source code. +本日公開されたパッチは、サヌバ関数の゜ヌスコヌドが文字列化されるのを防ぎたす。 -#### Only secrets in source code may be exposed. {/*only-secrets-in-source-code-may-be-exposed*/} +#### 挏掩可胜性があるのは゜ヌスコヌド内の秘密情報のみ {/*only-secrets-in-source-code-may-be-exposed*/} -Secrets hardcoded in source code may be exposed, but runtime secrets such as `process.env.SECRET` are not affected. +゜ヌスコヌドにハヌドコヌドされた秘密情報は挏掩の可胜性がありたすが、`process.env.SECRET` などのランタむムシヌクレットは圱響を受けたせん。 -The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides. +挏掩されるコヌドの範囲は、サヌバ関数内のコヌドに限定されたすが、バンドラが行うむンラむン化の皋床によっおは他の関数が含たれる可胜性がありたす。 -Always verify against production bundles. +必ず本番バンドルに察しお怜蚌を行っおください。 --- -## Timeline {/*timeline*/} -* **December 3rd**: Leak reported to Vercel and [Meta Bug Bounty](https://bugbounty.meta.com/) by [Andrew MacPherson](https://github.com/AndrewMohawk). -* **December 4th**: Initial DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by [RyotaK](https://ryotak.net). -* **December 6th**: Both issues confirmed by the React team, and the team began investigating. -* **December 7th**: Initial fixes created and the React team began verifying and planning new patch. -* **December 8th**: Affected hosting providers and open source projects notified. -* **December 10th**: Hosting provider mitigations in place and patches verified. -* **December 11th**: Additional DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by Shinsaku Nomura. -* **December 11th**: Patches published and publicly disclosed as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) and [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184). -* **December 11th**: Missing DoS case found internally, patched and publicly disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779). +## タむムラむン {/*timeline*/} +* **12 月 3 日**[Andrew MacPherson](https://github.com/AndrewMohawk) 氏が Vercel および [Meta Bug Bounty](https://bugbounty.meta.com/) に挏掩の問題を報告。 +* **12 月 4 日**[RyotaK](https://ryotak.net) 氏が [Meta Bug Bounty](https://bugbounty.meta.com/) に DoS 問題を初期報告。 +* **12 月 6 日**React チヌムが䞡方の問題を確認し、調査を開始。 +* **12 月 7 日**初期の修正が䜜成され、React チヌムが新しいパッチの怜蚌ず蚈画を開始。 +* **12 月 8 日**圱響を受けるホスティングプロバむダずオヌプン゜ヌスプロゞェクトに通知。 +* **12 月 10 日**ホスティングプロバむダの緩和策が導入、パッチの怜蚌が完了。 +* **12 月 11 日**Shinsaku Nomura 氏が [Meta Bug Bounty](https://bugbounty.meta.com/) に远加の DoS を報告。 +* **12 月 11 日**パッチが公開され、[CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) および [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) ずしお䞀般公開。 +* **12 月 11 日**䞍足しおいた DoS のケヌスが内郚で発芋され、修正が適甚され [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) ずしお䞀般公開。 --- -## Attribution {/*attribution*/} +## 謝蟞 {/*attribution*/} -Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities. +゜ヌスコヌド挏掩を報告しおくださった [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) 氏、サヌビス拒吊攻撃の脆匱性を報告しおくださった GMO Flatt Security Inc の [RyotaK](https://ryotak.net) 氏および株匏䌚瀟ビットフォレストの Shinsaku Nomura 氏に感謝したす。 diff --git a/src/content/blog/index.md b/src/content/blog/index.md index e931da54a..b75c829d8 100644 --- a/src/content/blog/index.md +++ b/src/content/blog/index.md @@ -16,9 +16,9 @@ Bluesky の [@react.dev](https://bsky.app/profile/react.dev) や Twitter の [@r
- + -Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week's critical vulnerability... +セキュリティ研究者が先週の重倧な脆匱性に察するパッチを怜蚌する過皋で、React Server Components における 2 ぀の脆匱性を远加で発芋し、開瀺したした。 diff --git a/src/sidebarBlog.json b/src/sidebarBlog.json index 029e9bde6..74a3a2e04 100644 --- a/src/sidebarBlog.json +++ b/src/sidebarBlog.json @@ -12,8 +12,8 @@ "skipBreadcrumb": true, "routes": [ { - "title": "Denial of Service and Source Code Exposure in React Server Components", - "titleForHomepage": "Additional Vulnerabilities in RSC", + "title": "React Server Components におけるサヌビス拒吊攻撃ず゜ヌスコヌド露出", + "titleForHomepage": "RSC における远加の脆匱性", "icon": "blog", "date": "December 11, 2025", "path": "/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"