id: week01-react-rsc-rce-awareness-lab

info:
  name: Week 1 React RSC RCE Awareness Proof Lab
  author: cj-olivenetworks-security-edu
  severity: critical
  description: Sends only a harmless proof request to the training server and confirms that no code execution occurs.
  reference:
    - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
    - https://nextjs.org/blog/CVE-2025-66478
    - https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
  metadata:
    max-request: 1
    lab-only: true
    simulated: true
    no-code-execution: true
  tags: react,rsc,nextjs,rce-awareness,cve2025,week01,lab

http:
  - method: POST
    path:
      - "{{BaseURL}}/__rsc_action"

    headers:
      User-Agent: "week01-nextjs-nuclei-lab"
      Content-Type: "text/x-component"
      Next-Action: "lab-safe-proof"

    body: "LAB_RSC_PROOF_REQUEST"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "X-Lab-Proof: react-rsc-rce-awareness-simulated"

      - type: word
        part: body
        words:
          - "LAB_PROOF_REACT_RSC_RCE_AWARENESS_ONLY"
          - "\"executed\": false"
        condition: and

    extractors:
      - type: regex
        part: body
        regex:
          - "LAB_PROOF_REACT_RSC_RCE_AWARENESS_ONLY"