Merge pull request #1783 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_nextjs_20260120_020841

Research Update Enhanced src/network-services-pentesting/pen...

Author: carlospolop

src/network-services-pentesting/pentesting-web/nextjs.md

@@ -1432,6 +1432,20 @@ python3 scanner.py -u https://target.tld --path /app/api/submit --safe-check
 python3 scanner.py -l hosts.txt -t 20 --waf-bypass -o vulnerable.json
 ```
 
+### Other recent App Router issues (late 2025)
+
+1. **RSC DoS & source disclosure (CVE-2025-55184 / CVE-2025-67779 / CVE-2025-55183)** – malformed Flight payloads can spin the RSC resolver into an infinite loop (pre-auth DoS) or force serialization of compiled Server Function code for other actions. App Router builds ≥13.3 are affected until patched; 15.0.x–16.0.x need the specific patch lines from the upstream advisory. Reuse the normal Server Action path but stream a `text/x-component` body with abusive `$` references. Behind a CDN the hung connection is kept open by cache timeouts, making the DoS cheap.
+   - **Triage tip:** Unpatched targets return `500` with `E{"digest"` after malformed Flight payloads; patched builds return `400/200`. Test any endpoint already streaming Flight chunks (look for `Next-Action` headers or `text/x-component` responses) and replay with a modified payload.
+
+2. **RSC cache poisoning (CVE-2025-49005, App Router 15.3.0–15.3.2)** – missing `Vary` let an `Accept: text/x-component` response get cached and served to browsers expecting HTML. A single priming request can replace the page with raw RSC payloads. PoC flow:
+   ```bash
+   # Prime CDN with an RSC response
+   curl -k -H "Accept: text/x-component" "https://target/app/dashboard" > /dev/null
+   # Immediately fetch without Accept (victim view)
+   curl -k "https://target/app/dashboard" | head
+   ```
+   If the second response returns JSON Flight data instead of HTML, the route is poisonable. Purge cache after testing.
+
 ## References
 
 - [Pentesting Next.js Server Actions — A Burp Extension for Hash-to-Function Mapping](https://www.adversis.io/blogs/pentesting-next-js-server-actions)
@@ -1440,5 +1454,7 @@ python3 scanner.py -l hosts.txt -t 20 --waf-bypass -o vulnerable.json
 - [CVE-2025-55182 & CVE-2025-66478 React2Shell – All You Need to Know](https://jfrog.com/blog/2025-55182-and-2025-66478-react2shell-all-you-need-to-know/)
 - [0xdf – HTB Previous (Next.js middleware bypass, static export recon, NextAuth config leak)](https://0xdf.gitlab.io/2026/01/10/htb-previous.html)
 - [assetnote/react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
+- [Next.js Security Update: December 11, 2025 (CVE-2025-55183/55184/67779)](https://nextjs.org/blog/security-update-2025-12-11)
+- [GHSA-r2fc-ccr8-96c4 / CVE-2025-49005: App Router cache poisoning](https://github.com/advisories/GHSA-r2fc-ccr8-96c4)
 
 {{#include ../../banners/hacktricks-training.md}}