## https://sploitus.com/exploit?id=44BE8A56-E4AD-5581-9200-CB4C791C7FE7
# React-2025 CTF Lab: CVE-2025-55182
## Overview
This repository contains a Capture The Flag (CTF) lab designed strictly for **educational use and security research**.
The environment features a vulnerable Next.js 16 e-commerce mock storefront ("Quantum Supplies") specifically built to demonstrate and practice exploiting **CVE-2025-55182**, a critical deserialization vulnerability within the React Server Components Flight protocol.
*(A link to a detailed Notion walkthrough and exploitation guide will be provided here shortly).*
## Repository Structure
* **/app**: Contains the full source code for the vulnerable Next.js web application, including the mock database, custom Dark Liquid Glass UI styling, and the vulnerable server actions.
* **/documents**: Contains logs and Questions/Answers detailing the application architecture and vulnerability mechanisms as we built this lab environment with the AI.
* **/solution**: Contains a series of detailed breakdown documents used to vet the application. This includes the finalized `solve.py` script, step-by-step guides for manual Burp Suite exploitation, and deep-dive answers explaining the React Flight payload structure (`solution6.md`, etc.).
## Start This Server
The application is fully containerized via Docker for safe research. To stand up the vulnerable server and the mock backend, run the following commands from the root directory:
```bash
# Build the Docker image and start the container in detached mode
sudo docker compose up -d --build
```
The application will be accessible via your browser at `http://localhost:10001`.
*Note: The container automatically provisions the target file `/flag/flag.txt` required for the CTF challenge.*