文章介绍了CVE-2025–55182这一高危远程代码执行漏洞,该漏洞存在于Next.js 13+版本的Server Actions功能中。由于反序列化问题导致攻击者可远程执行代码,危害极大。文章详细分析了漏洞成因、检测方法及修复建议。 2025-12-5 16:6:14 Author: infosecwriteups.com(查看原文) 阅读量:0 收藏
Hey there, back again with another post! 😄
When CVE-2025–55182 dropped, it immediately became one of the most impactful Remote Code Execution (RCE) vulnerabilities in the JavaScript ecosystem. The issue affected Next.js 13+, specifically a feature called Server Actions, which quietly introduced a dangerous deserialization bug.
In this blog post, I’ll try break down CVE-2025–55182 from scratch what caused it, how to identify it in real-world applications, how to test it, and what developers need to keep the applications safe. Whether you’re a pentester, developer, or security enthusiast, this write-up will make you fully understand how this vulnerability works and how to detect it.
Understanding Next.js
Next.js is a framework built on React. In newer versions (13+), Next.js introduced Server Actions.
What is Server Actions?
They allow you to write a server-side function directly inside your React component:
async function addUser(data) {
// runs on the server
}Instead of building an API endpoint, the browser automatically sends a special POST request that triggers these functions. These requests are not normal JSON APIs. They use something called the React Server Components protocol (RSC/Flight).
This “special” request structure is…
如有侵权请联系:admin#unsafe.sh