Share
## https://sploitus.com/exploit?id=1C7F349B-8114-5547-AEC5-7B3C5F25CA5C
# CVE-2025-55182 Scanner

A proof-of-concept scanner for **CVE-2025-55182**, a critical unauthenticated Remote Code Execution (RCE) vulnerability in React Server Components (RSC).

## Overview

On December 3, 2025, a critical vulnerability was disclosed affecting React 19.x and Next.js applications using React Server Components. The flaw exists in the RSC "Flight" protocol's deserialization logic, allowing attackers to execute arbitrary code on the server via crafted HTTP requests.

### Severity

| Attribute      | Value                          |
| -------------- | ------------------------------ |
| CVE            | CVE-2025-55182                 |
| CVSS           | Critical                       |
| Attack Vector  | Network                        |
| Authentication | None                           |
| Exploitation   | Actively exploited in the wild |

### Impact

- Unauthenticated Remote Code Execution
- Full server compromise
- Credential harvesting from environment variables
- Cloud metadata exfiltration
- Lateral movement within infrastructure

## Affected Versions

| Product              | Vulnerable Versions           | Patched Versions                                       |
| -------------------- | ----------------------------- | ------------------------------------------------------ |
| react-server-dom     | 19.0.x, 19.1.x, 19.2.x        | 19.0.1, 19.1.2, 19.2.1                                 |
| Next.js (App Router) | 14.3.0-canary.77+, 15.x, 16.x | 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |

## Usage

### Single Target Scan

```bash
go run ./cmd/main.go -t https://example.com
```

### Single Target with Interactive Shell

```bash
go run ./cmd/main.go -t https://example.com -shell
```

### Batch Scan from File

```bash
go run ./cmd/main.go -f targets.txt -c 20
```

### Export Results

```bash
go run ./cmd/main.go -f targets.txt -json results.json -csv results.csv
```

### Options

| Flag               | Description                            | Default |
| ------------------ | -------------------------------------- | ------- |
| `-t, -target`      | Single target URL                      |         |
| `-f, -file`        | File containing target URLs            |         |
| `-c, -concurrency` | Number of concurrent scanners          | 10      |
| `-timeout`         | HTTP timeout in seconds                | 15      |
| `-json`            | Export results to JSON file            |         |
| `-csv`             | Export results to CSV file             |         |
| `-q, -quiet`       | Suppress banner and progress           | false   |
| `-s, -shell`       | Interactive shell on vulnerable target | false   |

## Output Example

```
React2Shell Scanner v1.0.0
CVE-2025-55182 | React Server Components RCE
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”

[+] VULN  https://app.example.com/ 142ms
[-] SAFE  https://api.example.com/ 203ms
[!] ERROR https://internal.example.com/ (timeout) 15000ms

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
SCAN COMPLETE

  Targets scanned:    3
  Vulnerable:         1 (33%)
  Safe:               1
  Errors:             1

  Duration:           15.4s
  Avg response:       5115ms

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
VULNERABLE TARGETS

  1. https://app.example.com/

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
REMEDIATION

  Upgrade to patched versions:

  Next.js:
    15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

  react-server-dom:
    19.0.1, 19.1.2, 19.2.1
```

## Technical Details

The vulnerability exists in the RSC "Flight" protocol's handling of serialized payloads. When processing specially crafted multipart form data, the server fails to properly validate the payload structure, allowing prototype pollution that leads to arbitrary code execution.

### Attack Vector

1. Attacker sends malformed RSC payload via POST request
2. Server deserializes payload without proper validation
3. Prototype pollution allows constructor access
4. Arbitrary JavaScript executes in Node.js context
5. Command output exfiltrated via redirect header

### Detection

Look for POST requests containing:

- `Next-Action` header
- Multipart form data with `__proto__` references
- Unusual `X-Action-Redirect` responses

## Remediation

1. **Immediate**: Upgrade to patched versions listed above
2. **WAF Rules**: Block requests containing `__proto__` in body
3. **Monitoring**: Alert on suspicious `Next-Action` header patterns
4. **Network**: Restrict outbound connections from Next.js servers

## Disclaimer

**INTERNAL USE ONLY**

This tool is intended for authorized security testing only. Use against systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

## References

- [Wiz Research Advisory](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)
- [React Security Bulletin](https://react.dev/blog)
- [Vercel Advisory](https://vercel.com/security)

## License

Internal use only. Not for distribution.