0-click XSS in Next.js

A new case from zhero and inzo_ shows how improper handling of HTTP headers can turn a safe server response into a 0-click XSS.

The application used the App Router. When a request contained the Rsc: 1 header, Next.js returned an RSC response with Content-Type: text/x-component, i.e. data intended for React rather than direct rendering by the browser.

The issue was that the application copied certain user-controlled headers into its response. This allowed an attacker to influence the resulting Content-Type and make the server return an RSC response as text/html instead of text/x-component.

As a result, the browser parsed the RSC payload as a regular HTML page. Since the payload contained data reflected from URL parameters, attacker-controlled markup could be interpreted and executed, leading to XSS.

The researchers then combined this behavior with cache poisoning, making the malicious response available to other users and turning the issue into a 0-click stored XSS.

📎 Source: https://zhero-web-sec.github.io/research-and-things/re-cache-excessive-reflection-type-confusion-and-0-click-sxss-on-nextjs