From 4c19d46a7af5adc532ea7651c75acbd967fab5f4 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 5 Dec 2025 01:47:34 +0000 Subject: [PATCH] Add content from: Critical Vulnerabilities in React Server Components and Next... --- src/pentesting-web/deserialization/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/pentesting-web/deserialization/README.md b/src/pentesting-web/deserialization/README.md index 85700bee5b1..120caff6d8d 100644 --- a/src/pentesting-web/deserialization/README.md +++ b/src/pentesting-web/deserialization/README.md @@ -397,6 +397,24 @@ In the following pages you can find information about how to abuse this library - [https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/) - [https://hackerone.com/reports/350418](https://hackerone.com/reports/350418) +### React Server Components Flight deserialization (React 19 / Next.js CVE-2025-55182) + +**Key facts** + +- The flaw lives in the `react-server` Flight decoder bundled by `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` 19.0.0, 19.1.0, 19.1.1, and 19.2.0; any framework embedding those packages inherits the sink. +- Every default **Next.js App Router** deployment produced by `create-next-app` with vulnerable React 19 builds is exploitable pre-auth via crafted HTTP POST requests carrying Flight payloads—even if the project never opted into React Server Functions explicitly.[^rsc-unit42] +- The attack is a logical insecure-deserialization issue: once an attacker shapes a syntactically valid Flight stream, they deterministically coerce the server into instantiating arbitrary component references and gain privileged JavaScript execution inside Node/Bun/Deno.[^rsc-unit42] +- Besides Next.js 15.x/16.x, other consumers such as React Router, Waku, RedwoodSDK, Parcel and the Vite RSC plugin must be assumed vulnerable until they ship patched React bundles.[^react-advisory] + +#### Testing workflow + +1. **Map Flight endpoints.** React Server Components/App Router expose POST handlers (often alongside the user route) that accept Flight streams generated whenever a Server Action runs. Intercept one of those requests via Burp/mitmproxy or replay a `fetch` call from DevTools to obtain a legitimate Flight blob. +2. **Mutate Flight records.** The Flight format encodes component trees as tagged frames (JSON chunks, module references, arguments, etc.). Because the vulnerable decoder never validates whether a record may instantiate the referenced module/function, you can flip record IDs or splice in additional frames so that the server materializes privileged references (for example, built-in server actions that allow arbitrary module loading) and runs your own JavaScript payload.[^rsc-unit42] +3. **Expect deterministic execution.** Researchers reported near-100% reliability: once a working payload is produced for a React 19.x target, each replay yields the same server-side RCE without timing gadgets or memory corruption tricks.[^rsc-unit42] + +[^rsc-unit42]: [Unit 42 – Critical Vulnerabilities in React Server Components and Next.js](https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/) +[^react-advisory]: [React – Critical Security Vulnerability in React Server Components](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) + ## Java - HTTP In Java, **deserialization callbacks are executed during the process of deserialization**. This execution can be exploited by attackers who craft malicious payloads that trigger these callbacks, leading to potential execution of harmful actions.