Modern Next.js apps execute attacker-controlled input earlier than most teams realize — during framework deserialization, hydration, and Server Action resolution, often before application logging, validation, or auth hooks run.
In several real-world RCE investigations and red-team simulations, repeated 500 Internal Server Errors weren’t “noise” but early execution signals used by attackers to map execution boundaries and refine payloads. In some cases, the last observable 500 occurred right before stable code execution was achieved.
This write-up breaks down:
why deserialization in Next.js is part of execution, not preparation
how silent 500s can indicate pre-handler execution paths
why WAFs and app-level logs frequently miss this class of attacks
where the real attack surfaces live (middleware, RSC, Server Actions, custom servers)
Posting to get feedback from people who’ve seen or investigated similar SSR/RCE behavior in production.
alt Hacker News
Modern Next.js apps execute attacker-controlled input earlier than most teams realize — during framework deserialization, hydration, and Server Action resolution, often before application logging, validation, or auth hooks run.
In several real-world RCE investigations and red-team simulations, repeated 500 Internal Server Errors weren’t “noise” but early execution signals used by attackers to map execution boundaries and refine payloads. In some cases, the last observable 500 occurred right before stable code execution was achieved.
This write-up breaks down:
why deserialization in Next.js is part of execution, not preparation
how silent 500s can indicate pre-handler execution paths
why WAFs and app-level logs frequently miss this class of attacks
where the real attack surfaces live (middleware, RSC, Server Actions, custom servers)
Posting to get feedback from people who’ve seen or investigated similar SSR/RCE behavior in production.