文件

hao 080e55a98c 更新: 2531 个文件 - 2026-03-17 21:00:03

2026-03-17 21:00:04 -07:00

7.8 KiB

原始文件 Blame 文件历史

title, system_id, category, advisory_mode, published_date, updated_date, severity, exploit_status, source_confidence, verification_status, verification_mode, artifact_mode, last_run_id, target_types, allow_public_validation, authorization_prerequisite, minimal_validation, aliases, affected_versions, fixed_versions, secure_code_topics, primary_source

title

system_id

category

advisory_mode

published_date

updated_date

severity

exploit_status

source_confidence

verification_status

verification_mode

artifact_mode

last_run_id

target_types

allow_public_validation

authorization_prerequisite

minimal_validation

aliases

affected_versions

fixed_versions

secure_code_topics

primary_source

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

nextjs

frameworks

core

2026-01-28T15:38:01Z

2026-02-13T00:43:52.836085Z

low

unknown

official

verified-real

real

local-fixture

nextjs-nextjs--GHSA-h25m-26qc-wcjf-20260318035837

lab-local

lab-public

authorized-third-party

yes, with ownership or explicit authorization

asset ownership proof or explicit written authorization

read-only probe, controlled payload, reversible test

GHSA-h25m-26qc-wcjf

introduced=13.0.0, fixed<15.0.8

introduced=15.1.1-canary.0, fixed<15.1.12

introduced=15.2.0-canary.0, fixed<15.2.9

introduced=15.3.0-canary.0, fixed<15.3.9

introduced=15.4.0-canary.0, fixed<15.4.11

introduced=15.5.1-canary.0, fixed<15.5.10

introduced=15.6.0-canary.0, fixed<15.6.0-canary.61

introduced=16.0.0-beta.0, fixed<16.0.11

introduced=16.1.0-canary.0, fixed<16.1.5

15.0.8
15.1.12
15.2.9
15.3.9
15.4.11
15.5.10
15.6.0-canary.61
16.0.11
16.1.5

authz-server-side-recheck

proxy-trust-boundary

token-cookie-storage

dependency-upgrade-policy

deserialization-safety

https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

本地实证状态

实证状态: verified-real
实证方式: real
Artifact 模式: local-fixture
最近运行: nextjs-nextjs--GHSA-h25m-26qc-wcjf-20260318035837
浏览器证据: missing
Run Bundle: /Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-h25m-26qc-wcjf-20260318035837

事件层

Canonical ID: nextjs--GHSA-h25m-26qc-wcjf
系统: nextjs
严重度: low
来源置信度: official
官方主源: https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
影响版本: introduced=13.0.0, fixed<15.0.8, introduced=15.1.1-canary.0, fixed<15.1.12, introduced=15.2.0-canary.0, fixed<15.2.9, introduced=15.3.0-canary.0, fixed<15.3.9, introduced=15.4.0-canary.0, fixed<15.4.11, introduced=15.5.1-canary.0, fixed<15.5.10, introduced=15.6.0-canary.0, fixed<15.6.0-canary.61, introduced=16.0.0-beta.0, fixed<16.0.11, introduced=16.1.0-canary.0, fixed<16.1.5
修复版本: 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5

其他来源

实验层

仅用于自有资产、测试环境或已明确授权目标。
允许公网可达目标，但必须满足资产归属或明确授权前提。
最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作

7.8 KiB 原始文件 Blame 文件历史

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

本地实证状态

事件层

其他来源

实验层

修复示例

7.8 KiB

原始文件 Blame 文件历史