CVE-2025-55182 and CVE-2025-66478: High-Fidelity Detection for RSC/Next.js RCE

Summary

A remote code execution flaw affects Next.js applications that use React Server Components. The issue can be triggered with no prior access by sending a specially crafted multipart HTTP request. Although multiple public proof-of-concept exploits exist, many are unreliable or incorrect. The article introduces a high-fidelity detection technique that relies on a characteristic server error response.

Investigation

The researchers examined the React Server Component parsing logic and found that a colon-delimited property reference can produce a 500 error when the targeted object is missing. They then built a multipart payload that reliably triggers this condition and confirmed a repeatable response pattern. The proposed detection rule flags HTTP 500 responses that contain the distinctive E{\"digest\" fragment in the body.

Mitigation

Mitigation steps include upgrading affected Next.js releases to versions that incorporate additional safeguards around the colon notation. Organizations should deploy WAF rules to block the malicious multipart structure and ensure that all incoming requests touching React Server Components are validated and sanitized.

Response

Security teams should scan exposed web applications for the described request–response signature and prioritize fixes for vulnerable Next.js instances. If exploitation is suspected, isolate the impacted server, preserve and review logs for evidence of code execution, and apply the relevant patches without delay.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:
  The attacker, having identified that the target runs a vulnerable version of Next.js, crafts a malicious multipart request that mimics a legitimate asset‑upload flow. By setting the User-Agent to Assetnote/1.0.0 and injecting the internal Next.js headers Next-Action: x and X-Nextjs-Request-Id: b5dce965, the payload triggers the server‑side component that deserializes untrusted data, causing a runtime exception. The server responds with HTTP 500 and includes the serialized digest (E{"digest), which the detection rule watches for.

• Regression Test Script:

  #!/usr/bin/env bash
  #
  # Exploit simulation for Next.js RCE detection rule (T1595.002)
  # Generates the exact packet pattern the Sigma rule expects.
  #
  TARGET="http://127.0.0.1"
  ENDPOINT="/"
  USER_AGENT="Assetnote/1.0.0"
  BOUNDARY="----WebKitFormBoundary$(date +%s)"
  
  # Minimal multipart body; content is irrelevant for the detection.
  read -r -d '' PAYLOAD <<EOF
  --$BOUNDARY
  Content-Disposition: form-data; name="file"; filename="exploit.txt"
  Content-Type: text/plain
  
  exploit
  --$BOUNDARY--
  EOF
  
  curl -s -o /dev/null -w "%{http_code}\n" -X POST "${TARGET}${ENDPOINT}" \
    -H "User-Agent: ${USER_AGENT}" \
    -H "Next-Action: x" \
    -H "X-Nextjs-Request-Id: b5dce965" \
    -H "Content-Type: multipart/form-data; boundary=${BOUNDARY}" \
    --data-binary "$PAYLOAD"

  Run the script on a machine that can reach the target web server. The expected HTTP status is 500 and the server’s error log will contain the E{"digest string.

• Cleanup Commands:

  # No persistent changes on the target; simply remove any temporary files locally
  rm -f /tmp/exploit_payload.tmp 2>/dev/null || true