VERCEL_RESEARCH.md

Vercel Security Research & Discussion

This document serves as a collaborative space for researching and discussing vulnerabilities related to Vercel and Next.js deployments.

🎯 Research Objectives

The primary goal is to:

• Identify and analyze security vulnerabilities disclosed by Vercel on HackerOne
• Understand the attack surface of Vercel-hosted Next.js applications
• Develop detection and exploitation techniques for educational purposes
• Share knowledge and findings with the security research community

📋 Known Vulnerabilities

CVE-2025-55182 - Remote Code Execution (RCE)

• Severity: Critical
• Affected: Next.js React Server Components (RSC)
• Description: RCE vulnerability in Next.js applications using React Server Components
• Status: Known and documented in this repository
• References:
  • Technical Analysis: https://react2shell.com/
  • Scanner Tool: CVE-2025-55182.py

CVE-2025-55183 - Source Code Disclosure

• Severity: High
• Affected: Next.js Server Actions
• Description: Source code disclosure vulnerability via Server Actions
• Status: Known and documented in this repository
• Detection: Use --nextjs-rsc-source-code-disclosure flag in scanner

CVE-2025-66478

• Severity: To be determined
• Affected: To be researched
• Description: Additional vulnerability mentioned in scanner banner
• Status: Under investigation

🔍 Research Areas

1. Vercel WAF Bypass Techniques

The scanner includes multiple Vercel WAF bypass variants (1-102). Research topics:

• Effectiveness of different bypass techniques
• Detection evasion methods
• WAF signature analysis
• Rate limiting bypass

Key Findings:

• Multiple bypass variants implemented in waf_bypass_poc.py
• Junk data injection for content inspection bypass
• Custom header manipulation
• Timing-based evasion techniques

2. HackerOne Reports Analysis

• Objective: Systematically review Vercel's disclosed reports on HackerOne
• Methodology:
  1. Identify all publicly disclosed Vercel reports
  2. Categorize by vulnerability type
  3. Extract common patterns and root causes
  4. Develop proof-of-concepts for educational purposes

Resources:

• HackerOne Vercel Program: https://hackerone.com/vercel
• Disclosed Reports: (Contributors please add links below)

3. Next.js Security Architecture

Understanding the security model:

• React Server Components (RSC) boundary
• Server Actions security model
• Edge runtime limitations
• Serverless function isolation

4. Detection Methodologies

Current detection approaches in the scanner:

• Side-channel detection (timing/error-based)
• Direct RCE attempts
• Safe check mode
• Server fingerprinting

🤝 How to Contribute

Adding Research Findings

1. Fork this repository
2. Add your findings to this document under the relevant section
3. Include proof-of-concept code if applicable
4. Submit a pull request with clear description

Discussion Topics

Use GitHub Issues with the following labels:

• research: General research discussions
• vulnerability: New vulnerability findings
• bypass-technique: WAF/security control bypasses
• tool-improvement: Scanner enhancement ideas

Research Ethics

⚠️ Important Reminders:

• Only test systems you own or have explicit permission to test
• Follow responsible disclosure practices
• Do not use findings for malicious purposes
• Respect HackerOne's disclosure timelines
• Comply with all applicable laws and regulations

📚 Useful Resources

Official Documentation

• Next.js Security: https://nextjs.org/docs/app/building-your-application/security
• Vercel Security: https://vercel.com/security
• React Server Components: https://react.dev/reference/rsc/server-components

Security Research

• HackerOne Platform: https://hackerone.com
• CVE Database: https://cve.mitre.org
• NVD - National Vulnerability Database: https://nvd.nist.gov

Tools & Frameworks

• This Repository's Scanner: CVE-2025-55182.py
• WAF Bypass POC: waf_bypass_poc.py
• Burp Suite: https://portswigger.net/burp
• OWASP ZAP: https://www.zaproxy.org

📊 Research Status

Area	Status	Contributors	Last Updated
Vercel WAF Analysis	In Progress	-	2026-01-30
HackerOne Report Review	Not Started	-	2026-01-30
Edge Runtime Security	Not Started	-	2026-01-30
New CVE Discovery	In Progress	-	2026-01-30

💡 Research Ideas

Potential Investigation Areas

1. Edge Function Sandbox Escape: Research isolation mechanisms in Vercel Edge Functions
2. Build-time Injection: Investigate vulnerabilities during the build process
3. Environment Variable Exposure: Common misconfigurations in Vercel deployments
4. Cache Poisoning: Vercel CDN cache manipulation techniques
5. Subdomain Takeover: Orphaned Vercel deployments and DNS issues
6. Middleware Bypass: Security controls in Next.js middleware layer

Open Questions

• What other Next.js versions are vulnerable to CVE-2025-55182?
• Are there alternative exploitation methods beyond the current POC?
• How effective are different WAF rules against the bypass techniques?
• What are the indicators of compromise for these vulnerabilities?

🔐 Mitigation Strategies

For CVE-2025-55182/55183

1. Update Next.js: Upgrade to patched versions
2. Input Validation: Implement strict validation on Server Actions
3. WAF Rules: Deploy appropriate WAF rules (if not already bypassed)
4. Monitoring: Implement detection for exploitation attempts
5. Principle of Least Privilege: Limit server-side execution capabilities

General Best Practices

• Keep dependencies updated
• Regular security audits
• Implement Content Security Policy (CSP)
• Use security headers
• Monitor for unusual activity

📝 Recent Updates

2026-01-30

• Initial research document created
• Organized existing vulnerability knowledge
• Outlined research areas and methodologies
• Established contribution guidelines

---

📧 Contact & Collaboration

For private security discussions or responsible disclosure:

• Open an issue with the research label
• Follow responsible disclosure practices
• Share findings that benefit the community

Note: This is an educational repository. All research should be conducted ethically and legally.