webPromedium

Lab 385 — SprintForge — Prototype Pollution to RCE via React Flight Protocol

hackadvisor

Task: Next.js 15.2 agile project management app using React Server Actions via Flight Protocol with unsafe deep merge on settings payload. Solution: Prototype pollution via __proto__.shell in multipart form field triggers RCE through notification dispatch system, leaking FLAG from environment variables.

$ ls tags/ techniques/

rce nodejs react prototype_pollution nextjs multipart_form_data flight_protocol server_actions honeypot_flag deep_merge

honeypot_flag_identificationenvironment_variable_exfiltrationprototype_pollution_via_deep_mergereact_flight_protocol_exploitationshell_command_execution_via_polluted_property

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 227 — InsightPulse — Flight Protocol Deserialization to RCE— hackadvisor
[web][Pro]Lab 240 — DeployForge — Prototype Pollution to RCE via Lodash Merge— hackadvisor
[web][Pro]Lab 319 — PageForge — Chained Path Traversal to RCE via Asset Bundler— hackadvisor
[web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
[web][Pro]Lab 129 — ReqForge — RCE via VM Sandbox Escape— hackadvisor