zlacker

[parent] [thread] 2 comments
1. WatchD+(OP)[view] [source] 2025-12-04 00:47:34
I ran your exploit-rce-v4.js with and without the patched react-server-dom-webpack, and both of them executed the RCE.

So I don't think this mechanism is exactly correct, can you demo it with an actual nextjs project, instead of your mock server?

replies(2): >>ejpir+F1 >>ejpir+N5
2. ejpir+F1[view] [source] 2025-12-04 01:00:10
>>WatchD+(OP)
I'm trying that, nextjs is a little different because it uses a Proxy object before it passes through, which blocks the rce.

I'm debugging it currently, maybe I'm not on the right path after all.

3. ejpir+N5[view] [source] 2025-12-04 01:40:48
>>WatchD+(OP)
I'v updated the code, try it now with server-realistic.js:

1. npm start 2. npm run exploit

[go to top]