<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PSA | OKHK 👀</title><description>个人数字泔水\(⁠◔⁠‿⁠◔⁠)✨ Thinking...</description><link>http://tg.okhk.net</link><item><title>#PSA: 一些新的 React DoS/源码泄露漏洞；请尽快更新</title><link>http://tg.okhk.net/posts/8006</link><guid isPermaLink="true">http://tg.okhk.net/posts/8006</guid><pubDate>Fri, 12 Dec 2025 04:37:10 GMT</pubDate><content:encoded>&lt;div class=&quot;tgme_widget_message_forwarded_from accent_color&quot;&gt;Forwarded from &lt;a class=&quot;tgme_widget_message_forwarded_from_name&quot; href=&quot;https://t.me/outvivid/4795&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;&lt;span&gt;层叠 - The Cascading&lt;/span&gt;&lt;/a&gt;&lt;/div&gt;&lt;a href=&quot;/search/result?q=%23PSA&quot; title=&quot;#PSA&quot;&gt;#PSA&lt;/a&gt;: 一些&lt;b&gt;新的&lt;/b&gt; React DoS/源码泄露漏洞；请尽快更新。&lt;br /&gt;&lt;br /&gt;- 如果上周已经就之前的 RCE 漏洞对 React 等组件进行了更新，本周依旧&lt;b&gt;需要&lt;/b&gt;继续更新。&lt;br /&gt;- 如果就此漏洞更新到了 React 19.0.2/19.1.3/19.2.2，也依旧&lt;b&gt;需要&lt;/b&gt;继续更新，因为这些版本的修复不完整。&lt;br /&gt;- 请参考 [2] 了解需要更新到的版本。&lt;br /&gt;- React Server Side Components 相关；拒绝式服务攻击，以及服务端（服务端！）组件源码泄露。&lt;br /&gt;- Next.js 13.3 至 14（含 13.3 及 14.x）也受此漏洞影响。&lt;br /&gt;- react-router、waku 和几个其它 RSC 组件也受此漏洞影响。&lt;br /&gt;&lt;br /&gt;CVE: CVE-2025-55184, CVE-2025-67779, CVE-2025-55183&lt;br /&gt;CVSS: 最高者为 7.5&lt;br /&gt;&lt;br /&gt;1. &lt;a href=&quot;https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;react.dev/~&quot;&gt;react.dev/~&lt;/a&gt;&lt;br /&gt;2. &lt;a href=&quot;https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;react.dev/~&quot;&gt;react.dev/~&lt;/a&gt;&lt;br /&gt;&lt;br /&gt;thread: &lt;a href=&quot;https://t.me/outvivid/4791&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;/4791&quot;&gt;/4791&lt;/a&gt;&lt;br /&gt;&lt;br /&gt;&lt;a href=&quot;/search/result?q=%23React&quot; title=&quot;#React&quot;&gt;#React&lt;/a&gt; &lt;a href=&quot;/search/result?q=%23Nextjs&quot; title=&quot;#Nextjs&quot;&gt;#Nextjs&lt;/a&gt;&lt;a class=&quot;tgme_widget_message_link_preview&quot; href=&quot;https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;The library for web and native user interfaces&quot;&gt;
  
  &lt;div class=&quot;link_preview_site_name accent_color&quot;&gt;react.dev&lt;/div&gt;
  &lt;img class=&quot;link_preview_image&quot; alt=&quot;Critical Security Vulnerability in React Server Components – React&quot; src=&quot;/static/https://cdn4.telesco.pe/file/n8z-FlPHD9bvdsECndrQxLcRBo1LpNF2v6SWcCo88N5BkSbXt_bqKE5hbkb3dFxxk9imVWI_jsmmO_5guvvjdYS6BAeIiOHY6xp6MfsT4RFecW0wEyV7ATkUY-fIfxkn9MYrV93Y0dzNPVBApdYvyJjdsZFMGwg-DBTR6qKQSIBYSM_EAxY7uc6--h0HaETeIFBD_-tEdoCSuI905LFkkKsxNOBPd0r3yii--cOuEHVVO6haptsmv_5ccRrsfPnd1fWL0kfE9rsgsnHubf7XmvP8IP5oL0IlMhgvOYwU4q9CIhqfX9MHzlPABjsPUTPZCiapfzRJK5iv_emKF06AlA.jpg&quot; width=&quot;1200&quot; height=&quot;630&quot; loading=&quot;eager&quot; /&gt;
  &lt;div class=&quot;link_preview_title&quot;&gt;Critical Security Vulnerability in React Server Components – React&lt;/div&gt;
  &lt;div class=&quot;link_preview_description&quot;&gt;The library for web and native user interfaces&lt;/div&gt;
&lt;/a&gt;</content:encoded></item><item><title>#PSA: React RSC 的 RCE 漏洞，影响 Next.js 等，受影响用户请立即更新</title><link>http://tg.okhk.net/posts/7914</link><guid isPermaLink="true">http://tg.okhk.net/posts/7914</guid><pubDate>Wed, 03 Dec 2025 18:25:27 GMT</pubDate><content:encoded>&lt;div class=&quot;tgme_widget_message_forwarded_from accent_color&quot;&gt;Forwarded from &lt;a class=&quot;tgme_widget_message_forwarded_from_name&quot; href=&quot;https://t.me/outvivid/4791&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;&lt;span&gt;层叠 - The Cascading&lt;/span&gt;&lt;/a&gt;&lt;/div&gt;&lt;a href=&quot;/search/result?q=%23PSA&quot; title=&quot;#PSA&quot;&gt;#PSA&lt;/a&gt;: React RSC 的 RCE 漏洞，影响 Next.js 等，受影响用户请立即更新。&lt;br /&gt;&lt;br /&gt;- 受影响版本包括 React 19.0/19.1.0/19.1.1/19.2.0 及 Next.js 15-16（以及个别 14 canary 版本）。 [1][2]&lt;br /&gt;- 受影响用户请更新至 React 19.0.1/19.1.2/19.2.1 及 Next.js 15.0.5/15.1.9/15.2.6/15.3.6/15.4.8/15.5.7/16.0.7。&lt;br /&gt;- React Server DOM 的反序列化逻辑存在问题，可能导致远程代码执行 (RCE) 漏洞。&lt;br /&gt;- Cloudflare WAF 已部署修复并默认启用。 [3]&lt;br /&gt;- 应用程序如果只在客户端使用 React 而不涉及服务端 React，则不受影响。&lt;br /&gt;- react-router 或 waku 等库的用户可能也会受到影响。用户可以检查应用程序是否使用了 react-server-dom-{webpack,parcel,turbopack} 包。&lt;br /&gt;&lt;br /&gt;&lt;br /&gt;CVE: CVE-2025-55182 (React), CVE-2025-66478 (Next.js)&lt;br /&gt;CVSS: 10.0/10 (Critical)&lt;br /&gt;&lt;br /&gt;1. &lt;a href=&quot;https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;react.dev/~&quot;&gt;react.dev/~&lt;/a&gt;&lt;br /&gt;2. &lt;a href=&quot;https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;GHSA-9qr9-h5gf-34mp&quot;&gt;GHSA-9qr9-h5gf-34mp&lt;/a&gt;&lt;br /&gt;3. &lt;a href=&quot;https://blog.cloudflare.com/waf-rules-react-vulnerability/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;blog.cloudflare.com/~&quot;&gt;blog.cloudflare.com/~&lt;/a&gt;&lt;br /&gt;&lt;br /&gt;&lt;a href=&quot;/search/result?q=%23React&quot; title=&quot;#React&quot;&gt;#React&lt;/a&gt; &lt;a href=&quot;/search/result?q=%23Nextjs&quot; title=&quot;#Nextjs&quot;&gt;#Nextjs&lt;/a&gt;&lt;a class=&quot;tgme_widget_message_link_preview&quot; href=&quot;https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;The library for web and native user interfaces&quot;&gt;
  
  &lt;div class=&quot;link_preview_site_name accent_color&quot;&gt;react.dev&lt;/div&gt;
  &lt;img class=&quot;link_preview_image&quot; alt=&quot;Critical Security Vulnerability in React Server Components – React&quot; src=&quot;/static/https://cdn4.telesco.pe/file/OIaw4lr25r9MZVn14t63S2cjhQjob2x28pphHHKBXvwq0d9aTR4Iog_ciyt-auaaNlYXmMslUQ6N5AIz8Edas21YJRH66wcIeQwH0waVrBaNe8QSxW4jRuuL81lY5Q0kmc8RcFjNw2C3oS8SbelBFWeVVn2sJJDe0rJjfD_FIngMItVRX0lFjJDkVinIwtSNM5M5g9NptmM9CrNWS4Uni5QhOMt8GBDokACYgNtZH4J_LheCLtAzHOvOz6r2OTNAGkBOtnxK0PoZqc6mHHh-6QftbfQTZStS1vgXsWgVDDQpImfFpeafHjeRyWVaTGnxA8nVflkrdWt_GSekruYVsQ.jpg&quot; width=&quot;1200&quot; height=&quot;630&quot; loading=&quot;eager&quot; /&gt;
  &lt;div class=&quot;link_preview_title&quot;&gt;Critical Security Vulnerability in React Server Components – React&lt;/div&gt;
  &lt;div class=&quot;link_preview_description&quot;&gt;The library for web and native user interfaces&lt;/div&gt;
&lt;/a&gt;</content:encoded></item><item><title>#PSA: debug、chalk 等 npm 包被骇：请检查受影响版本是否被使用</title><link>http://tg.okhk.net/posts/6829</link><guid isPermaLink="true">http://tg.okhk.net/posts/6829</guid><pubDate>Tue, 09 Sep 2025 07:29:49 GMT</pubDate><content:encoded>&lt;div class=&quot;tgme_widget_message_forwarded_from accent_color&quot;&gt;Forwarded from &lt;a class=&quot;tgme_widget_message_forwarded_from_name&quot; href=&quot;https://t.me/outvivid/4750&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;&lt;span&gt;层叠 - The Cascading&lt;/span&gt;&lt;/a&gt;&lt;/div&gt;&lt;a href=&quot;/search/result?q=%23PSA&quot; title=&quot;#PSA&quot;&gt;#PSA&lt;/a&gt;: debug、chalk 等 npm 包被骇：请检查受影响版本是否被使用。&lt;br /&gt;&lt;br /&gt;- Qix- 是终端字符处理方面一些著名 npm 包的开发者，维护包括 ansi-styles、debug、chalk 等包。其中许多包每周下载量上亿次。&lt;br /&gt;- 开发者被 2FA 恢复验证邮件钓鱼，使得骇客得以访问开发者的 npm 账号。&lt;br /&gt;- 目前有 18 个包确认被注入恶意代码；截至现时，已知被注入恶意代码的版本均被移除。原文列出了这些包的列表。&lt;br /&gt;- （ChatGPT 称）恶意代码的主要行为是替换 HTTP 等请求中的数字货币账户地址，使用户的付款等操作的接收者变为骇客提供的地址。&lt;br /&gt;&lt;br /&gt;&lt;a href=&quot;https://github.com/debug-js/debug/issues/1005#issuecomment-3266868187&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;gh:debug-js/debug#1005&quot;&gt;gh:debug-js/debug#1005&lt;/a&gt;&lt;br /&gt;&lt;br /&gt;seealso: &lt;a href=&quot;https://news.ycombinator.com/item?id=45169657&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;HackerNews:45169657&quot;&gt;HackerNews:45169657&lt;/a&gt;&lt;br /&gt;linksrc: &lt;a href=&quot;https://t.me/bupt_moe/2516&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;https://t.me/bupt_moe/2516&quot;&gt;https://t.me/bupt_moe/2516&lt;/a&gt;&lt;br /&gt;&lt;br /&gt;&lt;a href=&quot;/search/result?q=%23npm&quot; title=&quot;#npm&quot;&gt;#npm&lt;/a&gt; &lt;a href=&quot;/search/result?q=%23security&quot; title=&quot;#security&quot;&gt;#security&lt;/a&gt;&lt;a class=&quot;tgme_widget_message_link_preview&quot; href=&quot;https://github.com/debug-js/debug/issues/1005&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;MESSAGE FROM @Qix- : PLEASE SEE #1005 (comment) FOR LATEST UPDATES. Version not present in this repo has been pushed out to npm. https://www.npmjs.com/package/debug/v/4.4.2?activeTab=code src/index...&quot;&gt;
  
  &lt;div class=&quot;link_preview_site_name accent_color&quot;&gt;GitHub&lt;/div&gt;
  
  &lt;div class=&quot;link_preview_title&quot;&gt;(RESOLVED) Version 4.4.2 published to npm is compromised · Issue #1005 · debug-js/debug&lt;/div&gt;
  &lt;div class=&quot;link_preview_description&quot;&gt;MESSAGE FROM @Qix- : PLEASE SEE #1005 (comment) FOR LATEST UPDATES. Version not present in this repo has been pushed out to npm. https://www.npmjs.com/package/debug/v/4.4.2?activeTab=code src/index...&lt;/div&gt;
&lt;/a&gt;</content:encoded></item><item><title>#PSA: sudo 本地权限提升漏洞</title><link>http://tg.okhk.net/posts/6082</link><guid isPermaLink="true">http://tg.okhk.net/posts/6082</guid><pubDate>Wed, 02 Jul 2025 13:28:54 GMT</pubDate><content:encoded>&lt;div class=&quot;tgme_widget_message_forwarded_from accent_color&quot;&gt;Forwarded from &lt;a class=&quot;tgme_widget_message_forwarded_from_name&quot; href=&quot;https://t.me/outvivid/4728&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;&lt;span&gt;层叠 - The Cascading&lt;/span&gt;&lt;/a&gt;&lt;/div&gt;&lt;a href=&quot;/search/result?q=%23PSA&quot; title=&quot;#PSA&quot;&gt;#PSA&lt;/a&gt;: sudo 本地权限提升漏洞。&lt;br /&gt;&lt;br /&gt;请升级至 1.9.17p1 版本；1.9.14 （不含）之前版本不受影响。&lt;br /&gt;&lt;br /&gt;Affected: [1.9.14, 1.9.17]&lt;br /&gt;Fixed-On: 1.9.17p1&lt;br /&gt;CVE: CVE-2025-32463&lt;br /&gt;CVSS: 9.3 (NIST) / 7.8 (SUSE)&lt;br /&gt;&lt;br /&gt;- &lt;a href=&quot;https://www.sudo.ws/security/advisories/chroot_bug/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;https://www.sudo.ws/security/advisories/chroot_bug/&quot;&gt;https://www.sudo.ws/security/advisories/chroot_bug/&lt;/a&gt;&lt;br /&gt;- &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2025-32463&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; title=&quot;https://nvd.nist.gov/vuln/detail/CVE-2025-32463&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2025-32463&lt;/a&gt;&lt;br /&gt;&lt;br /&gt;&lt;a href=&quot;/search/result?q=%23CVE&quot; title=&quot;#CVE&quot;&gt;#CVE&lt;/a&gt; &lt;a href=&quot;/search/result?q=%23sudo&quot; title=&quot;#sudo&quot;&gt;#sudo&lt;/a&gt;</content:encoded></item></channel></rss>