-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathreact2shell.yaml
More file actions
52 lines (46 loc) · 1.7 KB
/
react2shell.yaml
File metadata and controls
52 lines (46 loc) · 1.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
id: cve-2025-55182-cve-2025-66478-react-nextjs-rce
info:
name: React Server Components RCE
author: shamoo0
severity: critical
description: |
This template detects CVE-2025-55182 and CVE-2025-66478 vulnerabilities, which allow unauthenticated Remote Code Execution (RCE) in React Server Components and Next.js through insecure deserialization in the RSC Flight protocol.
tags: react,nextjs,rce,cve
reference:
- https://nextjs.org/blog/CVE-2025-66478
- https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
- https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/
- https://www.cve.org/CVERecord?id=CVE-2025-55182
variables:
boundary: "{{concat('----WebKitFormBoundary', rand_text_alphanumeric(16))}}"
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary={{boundary}}
Next-Action: {{rand_text_alphanumeric(32)}}
X-Nextjs-Request-Id: {{rand_text_alphanumeric(32)}}
Next-Router-State-Tree: [[["",{"children":["__PAGE__",{}]},null,null,true]]
--{{boundary}}\r\n
Content-Disposition: form-data; name="1"\r\n\r\n
{}\r\n
--{{boundary}}\r\n
Content-Disposition: form-data; name="0"\r\n\r\n
["$1:a:a"]\r\n
--{{boundary}}--\r\n
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: regex
regex:
- "E\\{\\\"digest\\\""
- "digest.*Error"
extractors:
- type: regex
name: error-digest
regex:
- "E\\{\\\"digest\\\":\\\"([a-zA-Z0-9]*)\\\""
group: 1