Share
## https://sploitus.com/exploit?id=20304548-54F5-5514-9DAC-4F1AF543B552
# CVE-2025-55182 React Server Components RCE Testing
This repo exists to play around with the new React vuln. I threw it together in about 2 hours with a mix of research, diffing, and LLM code.

TLDR: Worming / easy RCE is less likely because you need to enumerate both ActionIDs and modules on the remote. This is not a point-and-shoot vulnerability.

The vulnerability works by executing modules, so if your target doesn't have fun stuff like `fs` or `child_process`, you're out of luck. From what I can tell, there is no easy way to enumerate if the module is present outside of just trying a payload and seeing if it returns a 500 (which in my testing happened whenever the module was not found).

If you can enumerate known modules or side channel them with HTTP codes, you still need to find a valid `ACTION_REF`, which means enumerating action IDs.

So, there is not enough information to make exploitation easy, although it may still be possible with manual inspection. I was able to spin up a test app with react 19 and nextjs with the `fs` module included, and was able to successfully read, write, and list files.

## References
- https://github.com/ejpir/CVE-2025-55182-poc
- https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Diff: https://github.com/facebook/react/compare/v19.0.0...v19.0.1