Share
## https://sploitus.com/exploit?id=5A99B8F0-FE87-571A-B6CA-A497204A6A75
# React Server Components Security Lab (CVE-2025-55183 & CVE-2025-55184)
[](https://opensource.org/licenses/MIT)
[](https://react.dev/)
[](https://nvd.nist.gov/)
[](https://nvd.nist.gov/)
A comprehensive security testing environment for **CVE-2025-55183** (Source Code Exposure) and **CVE-2025-55184** (Denial of Service) vulnerabilities in React Server Components.
## โ ๏ธ Disclaimer
**FOR EDUCATIONAL AND SECURITY RESEARCH PURPOSES ONLY**
This repository contains deliberately vulnerable applications and exploitation tools. **Only test on systems you own or have explicit written permission to test.** Unauthorized testing is illegal and unethical.
## ๐ Table of Contents
- [About the Vulnerabilities](#about-the-vulnerabilities)
- [Quick Start](#quick-start)
- [Repository Structure](#repository-structure)
- [Vulnerable Application](#vulnerable-application)
- [Scanner Usage](#scanner-usage)
- [Detailed Documentation](#detailed-documentation)
- [Remediation](#remediation)
- [License](#license)
## ๐ About the Vulnerabilities
Both vulnerabilities affect React Server Components versions 19.0.0 through 19.2.2, disclosed on December 11, 2025.
### CVE-2025-55183: Source Code Exposure (Medium Severity)
| Property | Value |
|----------|-------|
| **Severity** | Medium (CVSS 5.3) |
| **Type** | Information Disclosure |
| **Impact** | Server source code exposure |
| **Authentication** | None Required |
Attackers can coerce Server Action arguments to leak server-only source code by calling `.toString()` on server function objects. This exposes:
- Business logic and algorithms
- Hardcoded API keys or secrets
- Internal implementation details
- Database queries and schema information
### CVE-2025-55184: Denial of Service (High Severity)
| Property | Value |
|----------|-------|
| **Severity** | High (CVSS 7.5) |
| **Type** | Denial of Service |
| **Impact** | Complete service outage |
| **Authentication** | None Required |
Specially crafted payloads create infinite promise recursion, causing the Node.js server to hang indefinitely. Results in:
- Complete service unavailability
- CPU exhaustion
- Blocked event loop
- Manual restart required
### Comparison
| Aspect | CVE-2025-55183 | CVE-2025-55184 |
|--------|----------------|----------------|
| **Severity** | Medium | High |
| **Type** | Information Disclosure | Denial of Service |
| **Impact** | Source code leakage | Server crash |
| **Detection** | Response contains code | Server timeout/hang |
| **Recovery** | Immediate | Requires restart |
## ๐ Quick Start
### Prerequisites
- Docker & Docker Compose
- Python 3.7+
- Git
### 1. Clone the Repository
```bash
git clone https://github.com/StealthMoud/react-server-cve-lab.git
cd react-server-cve-lab
```
### 2. Start the Vulnerable Application
```bash
# Start the app (vulnerable to both CVEs)
docker-compose up --build -d
# App available at: http://localhost:3000
```
### 3. Run the Scanner
```bash
cd scanner
# Install dependencies
pip install -r requirements.txt
# Scan for both vulnerabilities
python scan.py http://localhost:3000
# Scan only CVE-2025-55183
python scan.py --cve 55183 http://localhost:3000
# Scan only CVE-2025-55184
python scan.py --cve 55184 http://localhost:3000
# Scan multiple targets
python scan.py --file targets.txt
```
## ๐ Repository Structure
```
react-server-cve-lab/
โโโ README.md # This file
โโโ DOCUMENTATION.md # Complete technical documentation
โโโ LICENSE
โโโ .gitignore
โโโ docker-compose.yml
โ
โโโ vulnerable-app/ # Vulnerable to BOTH CVEs
โ โโโ Dockerfile
โ โโโ package.json
โ โโโ next.config.js
โ โโโ app/
โ โโโ layout.js
โ โโโ page.js
โ โโโ actions.js # Vulnerable server actions
โ
โโโ scanner/
โ โโโ requirements.txt
โ โโโ scan.py # Scanner for both CVEs
โ โโโ README.md
โ
โโโ exploits/
โโโ exploit-55183.py # PoC for CVE-2025-55183
โโโ exploit-55184.py # PoC for CVE-2025-55184
โโโ README.md
```
## ๐ฏ Vulnerable Application
The application is a Next.js app running React 19.0.0 with Server Actions, vulnerable to **both CVEs**.
### Features
- **Server Actions**: Multiple endpoints demonstrating both vulnerabilities
- **Realistic Code**: Simulates real-world patterns with secrets
- **Easy Testing**: Simple UI for manual testing
- **Docker-based**: Isolated, reproducible environment
### Starting the App
```bash
# Using Docker Compose (recommended)
docker-compose up --build -d
# Check if running
curl http://localhost:3000
# View logs
docker-compose logs -f
# Stop the app
docker-compose down
```
### Manual Setup (Without Docker)
```bash
cd vulnerable-app
npm install
npm run build
npm start
```
## ๐ Scanner Usage
The unified scanner detects both CVE-2025-55183 and CVE-2025-55184.
### Basic Usage
```bash
cd scanner
# Scan for both CVEs
python scan.py http://localhost:3000
# Scan specific CVE only
python scan.py --cve 55183 http://localhost:3000
python scan.py --cve 55184 http://localhost:3000
```
### Advanced Options
```bash
# Verbose output
python scan.py --verbose http://localhost:3000
# Custom timeout
python scan.py --timeout 10 http://example.com
# Scan multiple URLs from file
python scan.py --file targets.txt
# Save results to JSON
python scan.py --output results.json http://localhost:3000
# Disable SSL verification
python scan.py --no-verify https://self-signed.example.com
# Scan all CVEs with verbose output and save results
python scan.py --verbose --output scan-results.json http://localhost:3000
```
### Example Output
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ React Server Components Vulnerability Scanner โ
โ CVE-2025-55183 & CVE-2025-55184 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Testing http://localhost:3000
[CVE-2025-55183] Source Code Exposure
[!] VULNERABLE: Source code leaked
Exposed Functions: 3
Code Length: 1247 characters
Contains Secrets: โ (API keys found)
[CVE-2025-55184] Denial of Service
[!] VULNERABLE: DoS attack successful
Status Code: 404
Content-Type: text/plain
Markers Found: โ
============================================================
SUMMARY
============================================================
Total tested: 1
CVE-2025-55183 vulnerable: 1
CVE-2025-55184 vulnerable: 1
Both CVEs vulnerable: 1
Not vulnerable: 0
```
## ๐ Detailed Documentation
For comprehensive technical analysis of both vulnerabilities:
**[DOCUMENTATION.md](DOCUMENTATION.md)** - Complete technical documentation covering:
- Detailed vulnerability analysis for both CVEs
- Root cause explanations
- Exploitation techniques with examples
- Impact assessments
- Detection strategies
- Step-by-step remediation
- Prevention best practices
- Code samples and PoCs
## ๐ก๏ธ Remediation
### Immediate Actions Required
**Both vulnerabilities are fixed in the same patch versions:**
1. **Update React** to a patched version:
```bash
npm install react@19.2.3 react-dom@19.2.3
# or
npm install react@latest react-dom@latest
```
2. **Update Next.js** (if applicable):
```bash
npm install next@latest
```
3. **Verify the fix**:
```bash
npm list react react-dom next
python scanner/scan.py http://localhost:3000
```
### Patched Versions
| Package | Vulnerable Versions | Patched Versions |
|---------|-------------------|------------------|
| React | 19.0.0 - 19.2.2 | 19.0.3+, 19.1.4+, 19.2.3+ |
| Next.js 15.1.x | < 15.1.4 | 15.1.4+ |
| Next.js 15.0.x | < 15.0.4 | 15.0.4+ |
| Next.js 14.x | < 14.2.24 | 14.2.24+ |
### Verification After Patching
```bash
# Run scanner to confirm fixes
cd scanner
python scan.py http://your-patched-app.com
# Expected output:
# [+] CVE-2025-55183: NOT VULNERABLE
# [+] CVE-2025-55184: NOT VULNERABLE
```
## ๐ Security Best Practices
### Prevent CVE-2025-55183 (Source Code Exposure)
1. **Input Validation**: Always validate Server Action inputs
2. **Never Store Secrets in Code**: Use environment variables
3. **Code Obfuscation**: Consider build-time obfuscation for sensitive logic
4. **Regular Audits**: Review Server Actions for sensitive data
### Prevent CVE-2025-55184 (DoS)
1. **Rate Limiting**: Implement request rate limits
2. **Timeouts**: Set appropriate timeouts for all async operations
3. **Health Checks**: Implement robust health monitoring
4. **Circuit Breakers**: Prevent cascading failures
### General Recommendations
- Keep React and Next.js updated
- Subscribe to security advisories
- Implement Web Application Firewall (WAF)
- Regular security scanning in CI/CD
- Incident response plan for both disclosure and DoS
## ๐ค Contributing
Contributions are welcome! Areas for improvement:
- Additional test cases
- Improved detection methods
- Better exploitation examples
- Enhanced documentation
Please feel free to submit a Pull Request.
## ๐ License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## ๐ References
### Official Advisories
- [React Security Blog](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
- [Vercel Security Bulletin](https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183)
### CVE Details
- [CVE-2025-55183 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2025-55183)
- [CVE-2025-55184 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2025-55184)
### Additional Resources
- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)
- [CWE-200: Information Exposure](https://cwe.mitre.org/data/definitions/200.html)
- [React Server Components Docs](https://react.dev/reference/rsc/server-components)
## โญ Support
If you find this repository helpful for your security research, please consider giving it a star!
## ๐ง Contact
- **Issues**: [GitHub Issues](https://github.com/yourusername/react-server-cve-lab/issues)
- **Security**: Please report vulnerabilities responsibly
---