Critical Vulnerabilities in React Server Components and Next...

src/pentesting-web/deserialization/README.md

@@ -397,6 +397,24 @@ In the following pages you can find information about how to abuse this library
 - [https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)
 - [https://hackerone.com/reports/350418](https://hackerone.com/reports/350418)
 
+### React Server Components Flight deserialization (React 19 / Next.js CVE-2025-55182)
+
+**Key facts**
+
+- The flaw lives in the `react-server` Flight decoder bundled by `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` 19.0.0, 19.1.0, 19.1.1, and 19.2.0; any framework embedding those packages inherits the sink.
+- Every default **Next.js App Router** deployment produced by `create-next-app` with vulnerable React 19 builds is exploitable pre-auth via crafted HTTP POST requests carrying Flight payloads—even if the project never opted into React Server Functions explicitly.[^rsc-unit42]
+- The attack is a logical insecure-deserialization issue: once an attacker shapes a syntactically valid Flight stream, they deterministically coerce the server into instantiating arbitrary component references and gain privileged JavaScript execution inside Node/Bun/Deno.[^rsc-unit42]
+- Besides Next.js 15.x/16.x, other consumers such as React Router, Waku, RedwoodSDK, Parcel and the Vite RSC plugin must be assumed vulnerable until they ship patched React bundles.[^react-advisory]
+
+#### Testing workflow
+
+1. **Map Flight endpoints.** React Server Components/App Router expose POST handlers (often alongside the user route) that accept Flight streams generated whenever a Server Action runs. Intercept one of those requests via Burp/mitmproxy or replay a `fetch` call from DevTools to obtain a legitimate Flight blob.
+2. **Mutate Flight records.** The Flight format encodes component trees as tagged frames (JSON chunks, module references, arguments, etc.). Because the vulnerable decoder never validates whether a record may instantiate the referenced module/function, you can flip record IDs or splice in additional frames so that the server materializes privileged references (for example, built-in server actions that allow arbitrary module loading) and runs your own JavaScript payload.[^rsc-unit42]
+3. **Expect deterministic execution.** Researchers reported near-100% reliability: once a working payload is produced for a React 19.x target, each replay yields the same server-side RCE without timing gadgets or memory corruption tricks.[^rsc-unit42]
+
+[^rsc-unit42]: [Unit 42 – Critical Vulnerabilities in React Server Components and Next.js](https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/)
+[^react-advisory]: [React – Critical Security Vulnerability in React Server Components](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
+
 ## Java - HTTP
 
 In Java, **deserialization callbacks are executed during the process of deserialization**. This execution can be exploited by attackers who craft malicious payloads that trigger these callbacks, leading to potential execution of harmful actions.