WAF: fix rule for CVE-2025-55182 (#1595)

blotus · web-flow · commit c6dc26d65b42 · 2025-12-05T10:11:13.000+01:00
diff --git a/.appsec-tests/vpatch-CVE-2025-55182/vpatch-CVE-2025-55182.yaml b/.appsec-tests/vpatch-CVE-2025-55182/vpatch-CVE-2025-55182.yaml
@@ -5,25 +5,34 @@ info:
   severity: info
   description: vpatch-CVE-2025-55182 testing
   tags: appsec-testing
+variables:
+  request-id: "{{to_lower(rand_text_alphanumeric(8))}}"
+  nextjs-html: "{{rand_text_alphanumeric(21)}}"
 http:
 #FIXME: this is not a working explot, but it should follow the general idea of the actual exploit
 #Must be updated with a better payload when more information is available
   - raw:
     - |
       POST / HTTP/1.1
       Host: {{Hostname}}
-      Content-Type: multipart/form-data; boundary=----WebKitFormBoundary123456789
-      next-action: x
+      Next-Action: x
+      X-Nextjs-Request-Id: {{request-id}}
+      Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
+      X-Nextjs-Html-Request-Id: {{nextjs-html}}
 
-      ------WebKitFormBoundary123456789
-      Content-Disposition: form-data; name="$@ACTION_1:1"
+      ------WebKitFormBoundaryx8jO2oVc6SWP3Sad
+      Content-Disposition: form-data; name="0"
 
-      {"status":"resolved_model"}
-      ------WebKitFormBoundary123456789
-      Content-Disposition: form-data; name="$@ACTION_REF_1"
+      {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('id').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
+      ------WebKitFormBoundaryx8jO2oVc6SWP3Sad
+      Content-Disposition: form-data; name="1"
 
-      {}
-      ------WebKitFormBoundary123456789--
+      "$@0"
+      ------WebKitFormBoundaryx8jO2oVc6SWP3Sad
+      Content-Disposition: form-data; name="2"
+
+      []
+      ------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
 
     cookie-reuse: true
 #test will fail because we won't match http status 
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-55182.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-55182.yaml
@@ -33,7 +33,7 @@ rules:
           type: contains
           value: 'resolved_model'
       - zones:
-          - BODY_ARGS_NAMES
+          - BODY_ARGS
         transform:
           - urldecode
           - lowercase
