nextjs-vite-public-env: Next.js / Vite Public ENV Exposure

日期: 2025-08-01 | 影响软件: Next.js | POC: 已公开

漏洞描述

Identified public environment variables exposed to the client in Next.js (__NEXT_DATA__.env) and Vite applications through runtime configurations.

PoC代码[已公开]

id: nextjs-vite-public-env

info:
  name: Next.js / Vite Public ENV Exposure
  author: Hamza Sahin
  severity: medium
  description: |
    Identified public environment variables exposed to the client in Next.js (__NEXT_DATA__.env) and Vite applications through runtime configurations.
  reference:
    - https://nextjs.org/docs/app/building-your-application/configuring/environment-variables
    - https://vitejs.dev/guide/env-and-mode.html
    - https://supabase.com/docs/guides/api#api-keys
  metadata:
    verified: true
  tags: exposure,env,nextjs,vite,supabase,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - '(?i)"NEXT_PUBLIC_SUPABASE_URL"\s*:\s*"https?://[a-z0-9\.\-:/]+"'
          - '(?i)"NEXT_PUBLIC_SUPABASE_ANON_KEY"\s*:\s*"[A-Za-z0-9\.\-_]{20,}"'
          - '(?i)\bVITE_SUPABASE_URL\b"\s*:\s*"https?://[a-z0-9\.\-:/]+"'
          - '(?i)\bVITE_SUPABASE_ANON_KEY\b"\s*:\s*"[A-Za-z0-9\.\-_]{20,}"'
          - '(?i)window\.__env\s*=\s*\{[^}]*?(SUPABASE_(URL|ANON_KEY))[^}]*?\}'
          - '(?i)__NEXT_DATA__.*?"env"\s*:\s*\{[^}]*?NEXT_PUBLIC_[A-Z0-9_]{2,}'
          - '(?i)\bVITE_[A-Z0-9_]{2,}"\s*:\s*"[^"]{3,}'
        condition: or

      - type: status
        status:
          - 200


    extractors:
      - type: regex
        part: body
        name: supabase_url
        group: 1
        regex:
          - '(?i)"NEXT_PUBLIC_SUPABASE_URL"\s*:\s*"(https?://[a-z0-9\.\-:/]+)"'
          - '(?i)\bVITE_SUPABASE_URL\b"\s*:\s*"(https?://[a-z0-9\.\-:/]+)"'

      - type: regex
        part: body
        name: supabase_anon_key
        group: 1
        regex:
          - '(?i)"NEXT_PUBLIC_SUPABASE_ANON_KEY"\s*:\s*"([A-Za-z0-9\.\-_]{20,})"'
          - '(?i)\bVITE_SUPABASE_ANON_KEY\b"\s*:\s*"([A-Za-z0-9\.\-_]{20,})"'

      - type: regex
        part: body
        name: public_env
        regex:
          - '(?i)"(NEXT_PUBLIC_[A-Z0-9_]{2,})"\s*:\s*"([^"]{3,})"'
          - '(?i)"(VITE_[A-Z0-9_]{2,})"\s*:\s*"([^"]{3,})"'
# digest: 4a0a0047304502200969af006c368937206f8a792ec1d7778fd0249eaadf779c2ef239c716d1ee0a022100bd8b18e2093374d232da18ced73db086f974b9a095d5c5248d1e9153b7a97e12:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/exposures/configs/nextjs-vite-public-env.yaml

相关漏洞推荐