## https://sploitus.com/exploit?id=803110CF-968F-51D4-B0BD-5ABA14911C82
# CVE-2025-55182 POC for Next.js App-Router
CVE-2025-55182 POC for Next.js App Router
# Next.js App Router RSC PoC (Security Research)
This repository demonstrates how Next.js (App Router + Server Actions) integrates the React Server Components (RSC) runtime and how, under certain conditions, a valid Server ActionId can be replayed to trigger server-side logic remotely. It also explains the difference between a Next-adapted PoC versus a raw react-server-dom-* PoC.
> Important: This repo is for security research only. Do not deploy on public networks. Remove unsafe server logic in real apps.
## Stack and versions
- Next.js: 15.5.6
- React / ReactDOM: 19.0.0 (intentionally using a vulnerable 19.x to reproduce constructor-chain behavior; patched versions like 19.2.1+ may block it)
- Node: any recent LTS (local tests used v24.x)
- No direct react-server-dom-webpack in package.json
## Project structure
```
app/
actions.ts # echo, dangerous, fnConstructor Server Actions
page.tsx # three forms bound to the actions for easy testing
package.json # pins Next/React versions
README.md # this file
```
## How to run
Development (recommended for capturing requests):
```bash
npm install
npm run dev
# open http://127.0.0.1:3000 and use DevTools Network to capture form submissions
```
Production (also works for ActionId replay verification):
```bash
npm run build
npm run start
# open http://127.0.0.1:3000
```
Click the button for testing.
## What this PoC shows
There are two complementary validations:
1) Impact path (ActionId replay): If an attacker obtains a valid Server ActionId, they can replay an RSC Flight multipart request and trigger the bound server function. If that function is unsafe (e.g., executes shell commands or runs untrusted strings via `Function`), this results in remote command/script execution.
2) RSC constructor-chain (runtime parsing behavior): In vulnerable React versions, resolving exports via outlined property chains can reach `#constructor` → `Function`. In Next, this can only target modules that are registered in the app manifest (your app code). Arbitrary core modules like `fs`/`child_process` are not present in Next's manifest. Patched React versions constrain export resolution and block this path.
## Next.js vs raw react-server-dom-* PoC
- Raw RSC PoCs often use a permissive `serverManifest` that lists core modules (fs/child_process/vm). Next does not do this. NextJs `resolveServerReference` only recognizes modules bundled from your app.
- Next requires:
- A valid ActionId for the target server action.
- Same-origin request headers.
- RSC Flight protocol: `Accept: text/x-component`, router state, and strict multipart field ordering (including `1_$ACTION_ID_=`).
- Vulnerability reproduction via constructor chain in Next must reference an app module's export (e.g., `app/actions.ts#constructor`). You cannot reference `fs#readFileSync` directly.
## Button-based PoC (no curl)
You can validate the impact directly by clicking the three forms on the page. These are part of the PoC.
- Echo Action
- Input (UI): field `foo` (default `bar`, or any value)
- Expected output (UI): a JSON string with the submitted keys/values, e.g. `{"foo":"bar"}`
- Expected server logs: lines like `[echo] received keys: [...]` and `[echo] entries: {...}` showing all multipart keys. This helps you capture real field names and the current ActionId.
- Dangerous Action (impact demonstration)
- Input (UI): field `cmd` (default `whoami`; you can use `id`)
- Expected output (UI): a string like `exec: root` or the output of the command. If `cmd` is empty, the action returns `no cmd`.
- Error mode: on failure, the action returns `error: `.
- Function constructor demo
- Input (UI): field `body` (default `return 1+1`)
- Example bodies:
- `return process.version` proves server execution without side effects.
- `require("fs").writeFileSync("/tmp/next_rsc_proof","ok"); return "wrote"` writes a proof file and returns `wrote`.
- Expected output (UI): `fn result: ` for success; `fn error: ` on failure.
Notes:
- These buttons demonstrate that a Next app with Server Actions can execute server-side logic from client interactions. If an attacker can obtain a valid ActionId, the same logic can be triggered via a replayed request (see PoC A below for protocol reproduction).
## PoC A: ActionId replay - trigger unsafe server action
This path proves real-world impact in a Next app. Steps:
1) In the browser, click any form in the page, then open DevTools - Network and inspect the POST request.
2) Copy these values exactly:
- `next-action` (ActionId hash)
- `next-router-state-tree` header
- `Content-Type` multipart boundary
- The exact multipart field order and names
3) Reconstruct the request. Examples below use two actions:
- Dangerous (command execution):
- Multipart body includes `1_cmd=id` (or `whoami`) and an empty `1_$ACTION_ID_=` at the end.
- FnConstructor (function body execution):
- Multipart body includes `1_body=return process.version` (or a file-write proof), plus the empty `1_$ACTION_ID_=`.
Keep headers: `Accept: text/x-component`, same-origin `Origin`/`Referer`, correct boundary, and the exact field order your browser used.
Expected output: The RSC Flight response will contain either the command output (e.g., user or id info) or a string like `fn result: vXX.YY.ZZ`, proving server-side execution via ActionId replay.
Common errors:
- `500 reject is not a function`: field order mismatch or stale ActionId. Re-capture and reproduce the order exactly; ensure the ActionId is current.
## PoC B: Constructor chain via app module (React vulnerable versions)
Goal: Without relying on unsafe business logic, demonstrate that an export resolved via outlined properties can reach `Function` for a module in Nexts app manifest.
Steps:
1) Extract the module id for `app/actions.ts` from DevTools RSC Flight or the `.next` build output (manifest).
2) Craft an export reference `#constructor` and provide a benign function body (e.g., `return process.version`).
3) Submit the request with the same headers and field ordering rules as in PoC A.
Expected: The Flight output includes the functions return value.
Note: Patched React (19.2.1+) blocks the constructor path. ActionId replay impact remains an application-layer risk and must be mitigated by code and auth controls.
## Files of interest
- `app/actions.ts`:
- `echo(formData)`: logs multipart keys to help you see real field names.
- `dangerous(formData)`: executes a shell command passed via `cmd` (impact demonstration).
- `fnConstructor(formData)`: executes a string as a function body (constructor-chain demonstration).
- `app/page.tsx`: three forms bound to the actions.
## Why this matters
- The RSC Flight protocol allows client-side interactions to trigger server actions. If an attacker can obtain a valid ActionId and the action is unsafe, they can replay the request and execute logic on the server.
- Vulnerable React versions additionally allowed export resolution to walk into prototype-chain/constructor paths for modules that exist in NextJs manifest.
## Legal and ethical
This repository is for educational and defensive security research. Do not use these techniques on systems without explicit permission.
## Thanks
