# 策展 · X (Twitter) 🔥🔥🔥 > 作者:Cloudflare Developers (@CloudflareDev) · 平台:X (Twitter) · 日期:2026-05-08 > 原始來源:https://x.com/CloudflareDev/status/2052467567588196703 ## 中文摘要 React Server Components(RSC) 與 Next.js 曝出多項安全漏洞,Cloudflare WAF 已部分緩解 DoS 風險,使用者須立即更新至修補版本。 Cloudflare 於 2026 年 5 月 7 日公告,React 團隊與 Vercel 揭露影響 React Server Components 及 Next.js 的多項安全漏洞,包括阻斷服務(DoS)、中介軟體與代理繞過、伺服器端請求偽造(SSRF)、跨站腳本攻擊(XSS)及快取中毒等,嚴重性從高到低不等。Cloudflare 強烈建議使用者立即更新應用程式及其相依套件,避免僅依賴 WAF 緩解措施。 **立即更新建議** Cloudflare 強調,修補版本已發布,包括 React 的 `react-server-dom-webpack`、`react-server-dom-parcel` 及 `react-server-dom-turbopack` 分別為 `19.0.6`、`19.1.7` 及 `19.2.6`,以及 Next.js 的 `15.5.16` 與 `16.2.5`。由於部分漏洞無法透過 WAF 完全阻擋,使用者不應僅仰賴網路應用防火牆(WAF),而需優先升級應用程式。 **WAF 保護現況** Cloudflare WAF 針對先前 React Server Component CVE 已部署規則,現已涵蓋新揭露的 DoS 漏洞,這些規則預設啟用並以「Block」動作執行,適用於所有客戶,包括免費方案的 Free Managed Ruleset。 具體規則如下: | Ruleset | Rule description | Rule ID | Default action | | -------------------------- | ----------------------------------------------------------------------------------------------------------- | -------------------------------- | -------------- | | Cloudflare Managed Ruleset | React - DoS - [CVE-2025-55184](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) | 2694f1610c0b471393b21aef102ec699 | Block | | Cloudflare Managed Ruleset | React - DoS - [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg) | aaede80b4d414dc89c443cea61680354 | Block | 這些規則能通用偵測攻擊模式,因此也適用於新 DoS 漏洞 [CVE-2026-23870](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) 及對應 Next.js 公告 [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj)。Cloudflare 正在調查三項高嚴重性公告的額外 WAF 規則:[CVE-2026-23870](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) / [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj)、[GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) 及 [GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx)。若能安全部署而不影響應用程式行為,將透過 [WAF changelog](https://developers.cloudflare.com/waf/change-log/changelog/) 公告。由於漏洞資訊提前通知不足,調查仍在進行中。Pro、Business 或 Enterprise 方案使用者應確保 [Managed Rules 已啟用](https://developers.cloudflare.com/waf/get-started/#1-deploy-the-cloudflare-managed-ruleset)。 **Next.js 適配器更新** **Vinext:** [Vinext](https://github.com/cloudflare/vinext) 是 Cloudflare 提供的 Vite plugin,重現 Next.js API 介面,其最新版本不受任何揭露 CVE 影響。其架構避開受影響程式碼路徑,例如不實作 PPR resume protocol、不暴露 Pages Router data-route 端點,並在請求邊界移除如 `x-nextjs-data` 等內部標頭。額外防護包括 `vinext init` 時要求 React `19.2.6` 或更新版本([PR #1118](https://github.com/cloudflare/vinext/pull/1118)、[PR #1112](https://github.com/cloudflare/vinext/pull/1112))。 **OpenNext on Cloudflare:** OpenNext 適配器用於將 Next.js 應用部署至 Cloudflare Workers 平台,本身不受 React DoS CVE 直接影響,但使用者仍需更新 Next.js 版本。OpenNext 團隊已強化適配器防禦並發布 Cloudflare 適配器新版,測試案例與範例也更新至修補版本([PR #1255](https://github.com/opennextjs/opennextjs-cloudflare/pull/1255))。 **揭露漏洞總結** Cloudflare 彙整所有揭露漏洞清單,涵蓋嚴重性、問題描述及 WAF 狀態,多數高嚴重性漏洞無法安全部署全域 WAF 規則,以免破壞應用程式行為。完整清單如下: | Advisory | Severity | Issue | WAF status | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2026-23870](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) / [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) | High | Denial of service in Server Components | **WAF rules in place:** 2694f1610c0b471393b21aef102ec699, aaede80b4d414dc89c443cea61680354 Cloudflare is investigating additional managed WAF coverage | | [GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) | High | Middleware bypass via segment-prefetch routes | Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule | | [GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) | High | Denial of service via connection exhaustion in Cache Components | Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule | | [GHSA-492v-c6pp-mqqv](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) | High | Middleware bypass via dynamic route parameter injection | Not possible to safely enable a managed WAF rule without potentially breaking application behavior | | [GHSA-c4j6-fc7j-m34r](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) | High | SSRF via WebSocket upgrades | Not possible to safely enable a managed WAF rule without potentially breaking application behavior | | [GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) | High | Middleware bypass in Pages Router i18n | Custom WAF rule possible; global managed rule could potentially break application behavior | | [GHSA-ffhc-5mcf-pf4q](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) | Moderate | XSS via CSP nonces | Custom WAF rule possible; global managed rule could potentially break application behavior | | [GHSA-gx5p-jg67-6x7h](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) | Moderate | XSS in beforeInteractive scripts | Not possible to safely enable a managed WAF rule without potentially breaking application behavior | | [GHSA-h64f-5h5j-jqjh](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) | Moderate | Denial of service in Image Optimization API | Custom WAF rule possible; global managed rule could potentially break application behavior | | [GHSA-wfc6-r584-vfw7](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) | Moderate | Cache poisoning in RSC responses | Custom WAF rule possible; global managed rule could potentially break application behavior | | [GHSA-vfv6-92ff-j949](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) | Low | Cache poisoning via RSC cache-busting collisions | Not possible to safely enable a managed WAF rule without potentially breaking application behavior | | [GHSA-3g8h-86w9-wvmq](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) | Low | Middleware redirect cache poisoning | Custom WAF rule possible; global managed rule could potentially break application behavior | **技術趨勢影響** 此次事件凸顯 React Server Components 及 Next.js 在伺服器端渲染與快取機制上的潛在弱點,特別是高嚴重性 DoS 與繞過攻擊,可能導致服務中斷或資料外洩。Cloudflare 的快速回應,包括既有 WAF 規則的通用性及適配器更新,顯示邊緣運算平台在框架漏洞緩解上的優勢,但也提醒開發者,WAF 僅為輔助,核心防護仍需依賴框架修補。未來,隨著 Server Components 普及,此類 CVE 可能頻發,使用者應監控 [Cloudflare Developers Changelog](https://developers.cloudflare.com/changelog/post/2026-05-06-react-nextjs-vulnerabilities/) 及相關 GitHub 安全公告,以維持應用安全。免費方案使用者受益於預設規則,但付費方案需主動確認 Managed Rules 狀態,避免暴露風險。 ## 標籤 框架更新, 資安, Web, Next, React, React, Next.js, Cloudflare