惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Latest
Security Latest
Recorded Future
Recorded Future
人人都是产品经理
人人都是产品经理
S
SegmentFault 最新的问题
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
博客园 - 聂微东
P
Privacy & Cybersecurity Law Blog
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
量子位
L
LINUX DO - 热门话题
L
Lohrmann on Cybersecurity
博客园 - Franky
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Tor Project blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
雷峰网
雷峰网
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
T
Threatpost
T
Tenable Blog
有赞技术团队
有赞技术团队
大猫的无限游戏
大猫的无限游戏
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
C
Cisco Blogs
H
Heimdal Security Blog
Attack and Defense Labs
Attack and Defense Labs
A
About on SuperTechFans
Last Week in AI
Last Week in AI
N
News and Events Feed by Topic
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
I
Intezer
V
V2EX
Cyberwarzone
Cyberwarzone
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
B
Blog RSS Feed
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
T
The Blog of Author Tim Ferriss
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
U
Unit 42
PCI Perspectives
PCI Perspectives
P
Privacy International News Feed
D
Docker

Netlify Changelog

Gemini 3.5 Flash now available in Agent Runners 4 Nuxt CVEs: what Netlify users need to know Gemini 3.5 Flash now available in AI Gateway Agent Runners workflow improvements Next.js & React security release (May 2026): what to know Block project transfers out of your team Gemini 3.1 Flash-Lite now available in AI Gateway OpenAI GPT-5.5 Instant now available in AI Gateway New `netlify logs` CLI command Deploy to Netlify with Stripe Projects Netlify Database is now generally available OpenAI GPT-5.5 and GPT-5.5 Pro in AI Gateway & Agent Runners Rename an agent run GPT Image 2 now available in AI Gateway New frontend-design skill for Agent Runners Claude Opus 4.7 now available in AI Gateway and Agent Runners Pricing updates for Credit-based plans New sorting and filter controls on the Members page Netlify Database GA coming soon, no new databases for now Deploy logs streaming is now faster Netlify CLI adds prompt-based creation and anonymous deploys Deploy from Codex with the Netlify Plugin Hydrogen with React Router 7 now supported on Netlify Monitor credit usage by day Invoices for Enterprise Available on the Billing Page AI app development on production infrastructure with Netlify Introducing Prompt Templates OpenAI GPT-5.4 Nano and GPT-5.4 Mini in AI Gateway Change your pricing plan Internal Builder Role & Project Access Controls See your available credits at a glance Astro 6 just works on Netlify Limit AI feature usage OpenAI GPT-5.4 and GPT-5.4 Pro in AI Gateway & Agent Runners Deploy Preview screenshots in agent runs Gemini 3.1 Flash-Lite Preview now available in AI Gateway GPT-5.3 Instant now available in AI Gateway Use Netlify Agent Runners from Linear Automatic PHP bot scan blocking now live on all plans Support for stale-while-revalidate in Cache API Gemini 3.1 Flash Image Preview now available in AI Gateway GPT-5.3-Codex now available in AI Gateway Gemini 3.1 Pro Preview now available in AI Gateway Claude Sonnet 4.6 now available in AI Gateway and Agent Runners Sync changes with Agent Runners without Git Claude Opus 4.6 now available in AI Gateway and Agent Runners Agent Runners improvements recap 6 new React Router & Remix CVEs: what you need to know Vulnerability in Node.js: what Netlify users need to know 5 SvelteKit security vulnerabilities: what Netlify users need to know GPT-5.2-Codex Now Available in AI Gateway and Agent Runners Play Games While Agent Runners Do the Work Prerender.io support updated as new extension Gemini 3 Flash Preview now available in AI Gateway GPT-image-1.5 now available in AI Gateway AI Gateway now Generally Available Observability release is here Prerender extension now generally available Action required: React/Next.js CVE-2025-55184 and CVE-2025-55183 GPT-5.2 and GPT-5.2-Pro now available in AI Gateway and Agent Runners GPT-5.1-Codex-Max now available in AI Gateway and Agent Runners Netlify’s response to the critical React security vulnerability Netlify Vite Plugin now supports AI Gateway locally Claude Opus 4.5 now available in AI Gateway Projects deployed using a zip file via API now support branch deploys Day one support for Angular v21 on Netlify Gemini 3 now available in AI Gateway and Agent Runners DNS record management simplified for teams in Netlify organizations Skew protection for CLI workflows Support for more domain TLDs GPT-5.1 model now available in AI Gateway React Router 7 apps can now be deployed to Edge Functions | Netlify Changelog Git SHA exposed for triggered deploys | Netlify Changelog Test scheduled functions in Netlify dashboard | Netlify Changelog Revert agent run in a task | Netlify Changelog Deletion improvements with Netlify Blobs | Netlify Changelog Preview Server restart for cross-functional collaborators | Netlify Changelog AI inference usage graphs | Netlify Changelog Buy credit packs on demand | Netlify Changelog React Router 7 middleware now supported | Netlify Changelog Skew protection now available | Netlify Changelog Next.js 16 is ready to deploy on Netlify | Netlify Changelog Enforce Git-based workflows for production deploys | Netlify Changelog Claude Haiku 4.5 is now available in the AI Gateway | Netlify Changelog GPT 5 Pro now available in the AI Gateway | Netlify Changelog Updates to credit-based Personal and Pro plans | Netlify Changelog New AI workflows: Agent Runners and AI Gateway (beta) | Netlify Changelog Netlify pricing update: Introducing credit-based plans | Netlify Changelog Security Update: Multiple vulnerabilities in Next.js | Netlify Changelog ChatGPT deep link for failed deploy analysis | Netlify Changelog Equinix IP address expiring for 4-year old sites | Netlify Changelog Nuxt 4 support + new @netlify/nuxt module for local dev | Netlify Changelog Smart Secret Scanning for AI-Generated Code | Netlify Netlify DB: Serverless PostgreSQL Database | Netlify One-click install Netlify MCP on Cursor | Netlify Changelog Netlify MCP Server: AI Agents Can Now Deploy Code Directly | Netlify Netlify Becomes Official Vite Deployment Partner + New Plugin | Netlify Angular 20 support | Netlify Changelog Netlify CLI 21.4.1 UI and workflow enhancements | Netlify Changelog Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421 | Netlify Changelog
7 React Router security vulnerabilities: what you need to know
2026-06-02 · via Netlify Changelog

The React Router team has disclosed seven security vulnerabilities. Here’s what Netlify customers need to know.

VulnerabilityPackageAffected versionsFixed in
GHSA-8x6r-g9mw-2r78 — DoS via __manifest endpointreact-router7.0.0–7.14.x7.15.0
GHSA-rxv8-25v2-qmq8 — DoS via single-fetch request bodyreact-router7.0.0–7.13.x7.14.0
GHSA-8646-j5j9-6r62 — XSS via javascript: redirect in unstable RSCreact-router7.7.0–7.13.17.13.2
GHSA-49rj-9fvp-4h2h — RCE when chained with prototype pollutionreact-router7.5.2–7.14.17.14.2
GHSA-2j2x-hqr9-3h42 — Protocol-relative open redirectreact-router7.0.0–7.14.07.14.1
GHSA-f22v-gfqf-p8f3 — Stored XSS in prerendered redirect HTML@react-router/dev7.0.0–7.13.17.13.2
GHSA-84g9-w2xq-vcv6 — CSRF check bypassed for PUT/PATCH/DELETEreact-router7.12.0–7.15.07.15.1

Impact on Netlify

GHSA-8x6r-g9mw-2r78 and GHSA-rxv8-25v2-qmq8 (denial of service)

These are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.

GHSA-8646-j5j9-6r62 (XSS in unstable RSC)

This vulnerability affects apps using the experimental unstable_* RSC APIs where an attacker can control a redirect target. Only apps using these unstable APIs are affected.

Regardless of hosting provider, affected apps passing untrusted input into RSC redirect calls may be vulnerable.

GHSA-49rj-9fvp-4h2h (RCE when chained)

This vulnerability is not directly exploitable against React Router alone. Reaching the vulnerable code path requires the application to first be independently vulnerable to a prototype pollution attack.

GHSA-2j2x-hqr9-3h42 (open redirect)

Apps that redirect users to attacker-supplied URLs with the intent to restrict them to the same origin may inadvertently allow protocol-relative redirects to external origins.

Regardless of hosting provider, all affected apps passing untrusted input to redirect() may be vulnerable.

GHSA-f22v-gfqf-p8f3 (stored XSS in prerendering)

This vulnerability affects apps using the prerendering feature (prerender: [...] in react-router.config.ts). If any redirect target baked into a prerendered build originates from external or attacker-controlled data, the static artifact remains affected until a fresh build is run with a patched version.

Regardless of hosting provider, all affected apps using prerendering with externally sourced redirect targets may be vulnerable.

GHSA-84g9-w2xq-vcv6 (CSRF bypass for PUT/PATCH/DELETE)

The CSRF origin check introduced in React Router 7.12.0 only applied to POST requests on the document-request path, leaving PUT, PATCH, and DELETE unchecked. In practice, exploitation additionally requires the app to have explicitly opened CORS for those methods and to be issuing session cookies with SameSite=None.

Regardless of hosting provider, this only poses a meaningful risk in apps with permissive cross-origin configurations.

What should I do?

We strongly recommend upgrading as soon as possible to patched releases:

  • react-router 7.15.1 or later
  • @react-router/dev 7.13.2 or later (if using prerendering)

If your app uses prerendering, trigger a fresh build after upgrading to regenerate any affected static assets.

Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.