From b69e25dea38d2cda4bc259f6699bc99c2f493d82 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 9 Dec 2025 02:17:51 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20CVE-2025-55182=20&=20CV?= =?UTF-8?q?E-2025-66478=20React2Shell=20=E2=80=93=20All=20You=20Need=20t..?= =?UTF-8?q?.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../pentesting-web/nextjs.md | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/src/network-services-pentesting/pentesting-web/nextjs.md b/src/network-services-pentesting/pentesting-web/nextjs.md index 41f7c10a428..6f5b6cd773c 100644 --- a/src/network-services-pentesting/pentesting-web/nextjs.md +++ b/src/network-services-pentesting/pentesting-web/nextjs.md @@ -1362,10 +1362,45 @@ Next.js App Router deployments that expose Server Actions on `react-server-dom-w } ``` +#### Mapping React Server Function exposure + +React Server Functions (RSF) are any functions that include the `'use server';` directive. Every form action, mutation, or fetch helper bound to one of those functions becomes an RSC Flight endpoint that will happily deserialize attacker-supplied payloads. Useful recon steps derived from React2Shell assessments: + +- **Static inventory:** look for the directive to understand how many RSFs are being automatically exposed by the framework. + +```bash +rg -n "'use server';" -g"*.{js,ts,jsx,tsx}" app/ +``` + +- **App Router defaults:** `create-next-app` enables the App Router + `app/` directory by default, which silently turns every route into an RSC-capable endpoint. App Router assets such as `/_next/static/chunks/app/` or responses that stream Flight chunks over `text/x-component` are strong Internet-facing fingerprints. +- **Implicitly vulnerable RSC deployments:** React’s own advisory notes that apps shipping the RSC runtime can be exploitable **even without explicit RSFs**, so treat any build using `react-server-dom-*` 19.0.0–19.2.0 as suspect. +- **Other frameworks bundling RSC:** Vite RSC, Parcel RSC, React Router RSC preview, RedwoodSDK, Waku, etc. reuse the same serializer and inherit the identical remote attack surface until they embed patched React builds. + +#### Version coverage (React2Shell) + +- `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`: **vulnerable** in 19.0.0, 19.1.0–19.1.1 and 19.2.0; **patched** in 19.0.1, 19.1.2 and 19.2.1 respectively. +- **Next.js stable:** App Router releases 15.0.0–16.0.6 embed the vulnerable RSC stack. Patch trains 15.0.5 / 15.1.9 / 15.2.6 / 15.3.6 / 15.4.8 / 15.5.7 / 16.0.7 include fixed deps, so any build below those versions is high-value. +- **Next.js canary:** `14.3.0-canary.77+` also ships the buggy runtime and currently lacks patched canary drops, making those fingerprints strong exploitation candidates. + +#### Remote detection oracle (react2shell-scanner) + +Until a full exploit is public, detection is mostly protocol-based. Assetnote’s [`react2shell-scanner`](https://github.com/assetnote/react2shell-scanner) sends a crafted multipart Flight request to candidate paths and watches server-side behavior: + +- **Default mode** executes a deterministic RCE payload (math operation reflected via `X-Action-Redirect`) proving code execution. +- **`--safe-check` mode** purposefully malforms the Flight message so patched servers return `200/400`, while vulnerable targets emit `HTTP/500` responses containing the `E{"digest"` substring inside the body. That `(500 + digest)` pair is currently the most reliable remote oracle published by defenders. +- Built-in `--waf-bypass`, `--vercel-waf-bypass`, and `--windows` switches adjust payload layout, prepend junk, or swap OS commands so you can probe real Internet assets. + +```bash +python3 scanner.py -u https://target.tld --path /app/api/submit --safe-check +python3 scanner.py -l hosts.txt -t 20 --waf-bypass -o vulnerable.json +``` + ## References - [Pentesting Next.js Server Actions — A Burp Extension for Hash-to-Function Mapping](https://www.adversis.io/blogs/pentesting-next-js-server-actions) - [NextjsServerActionAnalyzer (Burp extension)](https://github.com/Adversis/NextjsServerActionAnalyzer) - [CVE-2025-55182 React Server Components Remote Code Execution Exploit Tool](https://github.com/Spritualkb/CVE-2025-55182-exp) +- [CVE-2025-55182 & CVE-2025-66478 React2Shell – All You Need to Know](https://jfrog.com/blog/2025-55182-and-2025-66478-react2shell-all-you-need-to-know/) +- [assetnote/react2shell-scanner](https://github.com/assetnote/react2shell-scanner) {{#include ../../banners/hacktricks-training.md}}