feat: add detection patterns from original CVE-2025-55182 PoC (#2)

alokemajumder · web-flow · commit 1ccce99e42c0 · 2025-12-05T15:25:54.000+05:30
Add 4 new detection patterns based on Lachlan Davidson's original PoC:
- chunk_reference: Detects $@ Chunk object reference notation
- formdata_gadget: Detects _formData gadget chain access
- constructor_chain: Detects constructor:constructor traversal
- setprototypeof_access: Detects setPrototypeOf manipulation

Also updated README acknowledgments with link to original PoC repository.
diff --git a/README.md b/README.md
@@ -16,9 +16,9 @@ Security scanner for **CVE-2025-55182** - a critical (CVSS 10.0) unauthenticated
 
 ## Acknowledgments
 
-This project exists to help the community respond to CVE-2025-55182. We acknowledge and thank the following individuals:
+This project exists to help the community respond to CVE-2025-55182. We acknowledge and thank:
 
-- **[Lachlan Davidson](https://github.com/lachlan2k)** ([react2shell.com](https://react2shell.com/)) - For discovering and responsibly disclosing the React Server Components vulnerability (CVE-2025-55182) on November 29th, 2025. The security community owes him gratitude for his diligence in identifying this critical flaw and working with the React and Next.js teams to ensure patches were available. His efforts have helped protect countless applications and users worldwide.
+- **[Lachlan Davidson](https://github.com/lachlan2k)** ([react2shell.com](https://react2shell.com/)) - For discovering and responsibly disclosing the React Server Components vulnerability (CVE-2025-55182) on November 29th, 2025. The security community owes him gratitude for his diligence in identifying this critical flaw and working with the React and Next.js teams to ensure patches were available. His efforts have helped protect countless applications and users worldwide. See his [original PoC](https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc) for technical details.
 
 ## Quick Start
 
diff --git a/src/middleware/detector.ts b/src/middleware/detector.ts
@@ -43,6 +43,34 @@ const EXPLOIT_PATTERNS = [
     severity: 'high' as const,
     description: 'Potential _prefix property injection',
   },
+  // $@ Chunk reference notation (original PoC technique)
+  {
+    name: 'chunk_reference',
+    pattern: /\$@\d+/,
+    severity: 'high' as const,
+    description: 'RSC Chunk object reference access',
+  },
+  // _formData gadget chain access (original PoC technique)
+  {
+    name: 'formdata_gadget',
+    pattern: /"_formData"\s*:/i,
+    severity: 'high' as const,
+    description: 'FormData gadget chain access',
+  },
+  // Constructor chain traversal (original PoC technique)
+  {
+    name: 'constructor_chain',
+    pattern: /constructor\s*:\s*constructor/i,
+    severity: 'high' as const,
+    description: 'Constructor chain traversal attempt',
+  },
+  // setPrototypeOf manipulation (original PoC technique)
+  {
+    name: 'setprototypeof_access',
+    pattern: /setPrototypeOf/i,
+    severity: 'high' as const,
+    description: 'setPrototypeOf manipulation attempt',
+  },
   // Malformed module references
   {
     name: 'malformed_module_ref',
