[et_pb_section fb_built=”1″ _builder_version=”4.27.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_row _builder_version=”4.27.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.27.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” text_font=”–et_global_body_font|300|||||||” text_font_size=”18px” text_line_height=”1.3em” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n
A vulnerabilidade React Server Components<\/strong>, identificada como CVE-2025-55182<\/strong>, representa uma das falhas mais severas j\u00e1 divulgadas no ecossistema React. Com pontua\u00e7\u00e3o CVSS 10.0<\/strong>, ela permite execu\u00e7\u00e3o remota de c\u00f3digo sem autentica\u00e7\u00e3o, colocando milhares de aplica\u00e7\u00f5es em risco. Neste artigo, voc\u00ea entender\u00e1 o impacto, as vers\u00f5es comprometidas e como corrigir a falha imediatamente.<\/p>\n <\/strong><\/p>\n A vulnerabilidade React Server Components est\u00e1 relacionada \u00e0 maneira como o React decodifica requisi\u00e7\u00f5es enviadas para endpoints de React Server Functions<\/strong>. Esses endpoints permitem que o cliente invoque fun\u00e7\u00f5es no servidor por meio de requisi\u00e7\u00f5es HTTP.<\/p>\n O problema surge porque um invasor pode enviar uma requisi\u00e7\u00e3o especialmente manipulada, que ao ser desserializada pelo React, resulta em execu\u00e7\u00e3o remota de c\u00f3digo no servidor<\/strong>. \u00c9 como se o atacante conseguisse entrar pela porta dos fundos e ainda usar a sua chave de administrador. Nada elegante, mas definitivamente eficiente \u2014 para ele.<\/p>\n <\/strong><\/p>\n Mesmo que sua aplica\u00e7\u00e3o n\u00e3o utilize React Server Functions<\/strong>, ela pode estar vulner\u00e1vel se oferecer suporte a React Server Components<\/strong>.<\/p>\n A falha afeta as vers\u00f5es 19.0, 19.1.0, 19.1.1 e 19.2.0<\/strong> dos seguintes pacotes:<\/p>\n react-server-dom-webpack<\/p>\n<\/li>\n react-server-dom-parcel<\/p>\n<\/li>\n react-server-dom-turbopack<\/p>\n<\/li>\n<\/ul>\n Al\u00e9m disso, v\u00e1rios frameworks dependem desses pacotes e tamb\u00e9m foram impactados:<\/p>\n Next.js<\/strong><\/p>\n<\/li>\n React Router (APIs RSC experimentais)<\/strong><\/p>\n<\/li>\n Waku<\/strong><\/p>\n<\/li>\n @parcel\/rsc<\/strong><\/p>\n<\/li>\n @vitejs\/plugin-rsc<\/strong><\/p>\n<\/li>\n Redwood SDK (rwsdk)<\/strong><\/p>\n<\/li>\n<\/ul>\n Hosting providers aplicaram mitiga\u00e7\u00f5es tempor\u00e1rias, mas elas n\u00e3o substituem a atualiza\u00e7\u00e3o obrigat\u00f3ria<\/strong>.<\/p>\n <\/strong><\/p>\n <\/strong><\/p>\n A gravidade da falha est\u00e1 no fato de que ela permite:<\/p>\n Execu\u00e7\u00e3o remota de c\u00f3digo<\/p>\n<\/li>\n Sem autentica\u00e7\u00e3o<\/p>\n<\/li>\n Pelo endpoint de Server Functions<\/p>\n<\/li>\n Com potencial de tomada completa do servidor<\/p>\n<\/li>\n<\/ul>\n Ou seja: Por isso a CVSS atingiu a pontua\u00e7\u00e3o m\u00e1xima (10.0). <\/strong><\/p>\n <\/strong><\/p>\n A equipe do React publicou vers\u00f5es corrigidas:<\/p>\n 19.0 \u2192 19.0.1<\/strong><\/p>\n<\/li>\n 19.1.0 \/ 19.1.1 \u2192 19.1.2<\/strong><\/p>\n<\/li>\n 19.2.0 \u2192 19.2.1<\/strong><\/p>\n<\/li>\n<\/ul>\n Se sua aplica\u00e7\u00e3o utiliza alguma dessas vers\u00f5es, fa\u00e7a upgrade imediato<\/strong>.<\/p>\n Atualize conforme sua branch:<\/p>\n npm install next<\/span>@15.1.9<\/span><\/p>\n npm install next<\/span>@15.2.6<\/span><\/p>\n npm install next<\/span>@15.3.6<\/span><\/p>\n npm install next<\/span>@15.4.8<\/span><\/p>\n npm install next<\/span>@15.5.7<\/span><\/p>\n npm install next<\/span>@16.0<\/span>.7<\/span><\/p>\n Se estiver em 14.3.0-canary.77 ou superior<\/strong>, fa\u00e7a downgrade:<\/p>\n <\/p>\n <\/strong><\/p>\n <\/strong><\/p>\n npm install react-dom@latest<\/span><\/p>\n npm install react-server-dom-parcel@latest<\/span><\/p>\n npm install react-server-dom-webpack@latest<\/span><\/p>\n npm install @vitejs<\/span>\/plugin-rsc@latest<\/span><\/p>\n <\/p>\n <\/p>\n <\/strong><\/p>\n npm install react@latest<\/span> react-dom@latest<\/span> react-server-dom-webpack@latest<\/span><\/p>\n<\/strong><\/h2>\n
O que \u00e9 a vulnerabilidade React Server Components?<\/strong><\/h2>\n
Tudo isso sem qualquer autentica\u00e7\u00e3o<\/strong>.<\/p>\n<\/strong><\/h2>\n
<\/strong><\/h2>\n
Aplica\u00e7\u00f5es afetadas pela vulnerabilidade React Server Components<\/strong><\/h2>\n
\n
\n
<\/strong><\/h2>\n
Impacto da vulnerabilidade React Server Components<\/strong><\/h2>\n
\n
sua aplica\u00e7\u00e3o pode ser comprometida mesmo sem o usu\u00e1rio fazer login<\/strong>.<\/p>\n
\u00c9 o equivalente a um alerta vermelho piscando com sirene.<\/p>\n<\/strong><\/h2>\n
<\/strong><\/h2>\n
Como corrigir a vulnerabilidade React Server Components<\/strong><\/h2>\n
\n
<\/strong><\/h3>\n
<\/strong><\/h3>\n
Atualiza\u00e7\u00f5es para frameworks espec\u00edficos<\/strong><\/h3>\n
Next.js (todas as vers\u00f5es)<\/strong><\/h4>\n
npm install next<\/span>@15.0<\/span>.5<\/span><\/span><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/span><\/code><\/p>\n<\/code><\/p>\n<\/div>\n<\/div>\nnpm install next<\/span>@14<\/span><\/code><\/p>\n<\/span><\/code><\/p>\n<\/code><\/p>\n<\/code><\/p>\n<\/code><\/p>\n<\/code><\/p>\n<\/div>\n<\/div>\n<\/strong><\/h4>\n
React Router (APIs inst\u00e1veis RSC)<\/strong><\/h4>\n
npm<\/span> install react@latest<\/span><\/span><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/p>\n<\/code><\/p>\n<\/code><\/p>\n<\/code><\/p>\n<\/div>\n<\/div>\n<\/strong><\/h4>\n
Redwood SDK<\/strong><\/h4>\n
npm<\/span> install rwsdk@latest<\/span><\/span><\/code><\/p>\n<\/code><\/code><\/p>\n<\/code><\/code><\/p>\n<\/span><\/code><\/p>\n<\/code><\/p>\n<\/div>\n<\/div>\n<\/strong><\/h4>\n
Waku<\/strong><\/h4>\n