## https://sploitus.com/exploit?id=5244694B-941F-5707-9323-2145AD28C045
CVE-2025-55182 โ React Server Components RCE Exploit (Fixed Multipart Version)
โ ๏ธ FOR AUTHORIZED SECURITY TESTING AND RESEARCH PURPOSES ONLY
Do not use against systems without explicit permission.
๐ Attribution
This project is a modified version of the original proof-of-concept (PoC) by @joe-desimone:
Original Gist:
https://gist.github.com/joe-desimone/ff0cae0aa0d20965d502e7a97cbde3e3
We acknowledge the contributions of the following researchers:
Wiz โ vulnerability discovery
@maple3142 โ first working PoC
@dez_ โ refined exploit logic
@joe-desimone โ original implementation shared via Gist
๐ง Key Fixes in This Version
The original exploit used requests.post(files=...) to construct multipart requests. While convenient, this approach introduced critical reliability issues:
requests automatically generates a boundary and adds its own Content-Type header.
It may escape or transform payload content (e.g., quotes, newlines, JSON structures), breaking the delicate Flight protocol deserialization expected by the server.
In some environments (e.g., strict parsers, proxies, or WAFs), this results in malformed requests, large unexpected payloads, or silent failures.
Most notably, the --check mode often falsely reported "not vulnerable" due to payload formatting discrepancies โ even when the target was exploitable.
โ Resolution
To ensure compatibility and reliability, this version:
Constructs the multipart body manually using raw bytes, preserving exact payload semantics.
Auto-generates a valid RFC-compliant boundary using uuid.uuid4().
Explicitly sets the correct Content-Type header to match the raw body.
Avoids all automatic encoding/escaping by requests, so the _prefix and prototype pollution fields remain intact.
Applies the same raw multipart logic to both:
The main execute() method (for command execution)
The check_vulnerability() method (for accurate detection)
This ensures consistency between detection and exploitation, significantly improving success rates across diverse Next.js deployments.