Share
## https://sploitus.com/exploit?id=5A99B8F0-FE87-571A-B6CA-A497204A6A75
# React Server Components Security Lab (CVE-2025-55183 & CVE-2025-55184)

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![React Version](https://img.shields.io/badge/React-19.0.0-blue.svg)](https://react.dev/)
[![CVE-2025-55183](https://img.shields.io/badge/CVE--2025--55183-Medium-orange.svg)](https://nvd.nist.gov/)
[![CVE-2025-55184](https://img.shields.io/badge/CVE--2025--55184-High-red.svg)](https://nvd.nist.gov/)

A comprehensive security testing environment for **CVE-2025-55183** (Source Code Exposure) and **CVE-2025-55184** (Denial of Service) vulnerabilities in React Server Components.

## โš ๏ธ Disclaimer

**FOR EDUCATIONAL AND SECURITY RESEARCH PURPOSES ONLY**

This repository contains deliberately vulnerable applications and exploitation tools. **Only test on systems you own or have explicit written permission to test.** Unauthorized testing is illegal and unethical.

## ๐Ÿ“‹ Table of Contents

- [About the Vulnerabilities](#about-the-vulnerabilities)
- [Quick Start](#quick-start)
- [Repository Structure](#repository-structure)
- [Vulnerable Application](#vulnerable-application)
- [Scanner Usage](#scanner-usage)
- [Detailed Documentation](#detailed-documentation)
- [Remediation](#remediation)
- [License](#license)

## ๐Ÿ” About the Vulnerabilities

Both vulnerabilities affect React Server Components versions 19.0.0 through 19.2.2, disclosed on December 11, 2025.

### CVE-2025-55183: Source Code Exposure (Medium Severity)

| Property | Value |
|----------|-------|
| **Severity** | Medium (CVSS 5.3) |
| **Type** | Information Disclosure |
| **Impact** | Server source code exposure |
| **Authentication** | None Required |

Attackers can coerce Server Action arguments to leak server-only source code by calling `.toString()` on server function objects. This exposes:
- Business logic and algorithms
- Hardcoded API keys or secrets
- Internal implementation details
- Database queries and schema information

### CVE-2025-55184: Denial of Service (High Severity)

| Property | Value |
|----------|-------|
| **Severity** | High (CVSS 7.5) |
| **Type** | Denial of Service |
| **Impact** | Complete service outage |
| **Authentication** | None Required |

Specially crafted payloads create infinite promise recursion, causing the Node.js server to hang indefinitely. Results in:
- Complete service unavailability
- CPU exhaustion
- Blocked event loop
- Manual restart required

### Comparison

| Aspect | CVE-2025-55183 | CVE-2025-55184 |
|--------|----------------|----------------|
| **Severity** | Medium | High |
| **Type** | Information Disclosure | Denial of Service |
| **Impact** | Source code leakage | Server crash |
| **Detection** | Response contains code | Server timeout/hang |
| **Recovery** | Immediate | Requires restart |

## ๐Ÿš€ Quick Start

### Prerequisites

- Docker & Docker Compose
- Python 3.7+
- Git

### 1. Clone the Repository

```bash
git clone https://github.com/StealthMoud/react-server-cve-lab.git
cd react-server-cve-lab
```

### 2. Start the Vulnerable Application

```bash
# Start the app (vulnerable to both CVEs)
docker-compose up --build -d

# App available at: http://localhost:3000
```

### 3. Run the Scanner

```bash
cd scanner

# Install dependencies
pip install -r requirements.txt

# Scan for both vulnerabilities
python scan.py http://localhost:3000

# Scan only CVE-2025-55183
python scan.py --cve 55183 http://localhost:3000

# Scan only CVE-2025-55184
python scan.py --cve 55184 http://localhost:3000

# Scan multiple targets
python scan.py --file targets.txt
```

## ๐Ÿ“ Repository Structure

```
react-server-cve-lab/
โ”œโ”€โ”€ README.md                          # This file
โ”œโ”€โ”€ DOCUMENTATION.md                   # Complete technical documentation
โ”œโ”€โ”€ LICENSE
โ”œโ”€โ”€ .gitignore
โ”œโ”€โ”€ docker-compose.yml
โ”‚
โ”œโ”€โ”€ vulnerable-app/                    # Vulnerable to BOTH CVEs
โ”‚   โ”œโ”€โ”€ Dockerfile
โ”‚   โ”œโ”€โ”€ package.json
โ”‚   โ”œโ”€โ”€ next.config.js
โ”‚   โ””โ”€โ”€ app/
โ”‚       โ”œโ”€โ”€ layout.js
โ”‚       โ”œโ”€โ”€ page.js
โ”‚       โ””โ”€โ”€ actions.js                 # Vulnerable server actions
โ”‚
โ”œโ”€โ”€ scanner/
โ”‚   โ”œโ”€โ”€ requirements.txt
โ”‚   โ”œโ”€โ”€ scan.py                        # Scanner for both CVEs
โ”‚   โ””โ”€โ”€ README.md
โ”‚
โ””โ”€โ”€ exploits/
    โ”œโ”€โ”€ exploit-55183.py               # PoC for CVE-2025-55183
    โ”œโ”€โ”€ exploit-55184.py               # PoC for CVE-2025-55184
    โ””โ”€โ”€ README.md
```

## ๐ŸŽฏ Vulnerable Application

The application is a Next.js app running React 19.0.0 with Server Actions, vulnerable to **both CVEs**.

### Features

- **Server Actions**: Multiple endpoints demonstrating both vulnerabilities
- **Realistic Code**: Simulates real-world patterns with secrets
- **Easy Testing**: Simple UI for manual testing
- **Docker-based**: Isolated, reproducible environment

### Starting the App

```bash
# Using Docker Compose (recommended)
docker-compose up --build -d

# Check if running
curl http://localhost:3000

# View logs
docker-compose logs -f

# Stop the app
docker-compose down
```

### Manual Setup (Without Docker)

```bash
cd vulnerable-app
npm install
npm run build
npm start
```

## ๐Ÿ”Ž Scanner Usage

The unified scanner detects both CVE-2025-55183 and CVE-2025-55184.

### Basic Usage

```bash
cd scanner

# Scan for both CVEs
python scan.py http://localhost:3000

# Scan specific CVE only
python scan.py --cve 55183 http://localhost:3000
python scan.py --cve 55184 http://localhost:3000
```

### Advanced Options

```bash
# Verbose output
python scan.py --verbose http://localhost:3000

# Custom timeout
python scan.py --timeout 10 http://example.com

# Scan multiple URLs from file
python scan.py --file targets.txt

# Save results to JSON
python scan.py --output results.json http://localhost:3000

# Disable SSL verification
python scan.py --no-verify https://self-signed.example.com

# Scan all CVEs with verbose output and save results
python scan.py --verbose --output scan-results.json http://localhost:3000
```

### Example Output

```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘     React Server Components Vulnerability Scanner        โ•‘
โ•‘         CVE-2025-55183 & CVE-2025-55184                  โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] Testing http://localhost:3000

[CVE-2025-55183] Source Code Exposure
[!] VULNERABLE: Source code leaked
    Exposed Functions: 3
    Code Length: 1247 characters
    Contains Secrets: โœ“ (API keys found)

[CVE-2025-55184] Denial of Service
[!] VULNERABLE: DoS attack successful
    Status Code: 404
    Content-Type: text/plain
    Markers Found: โœ“

============================================================
SUMMARY
============================================================
Total tested: 1
CVE-2025-55183 vulnerable: 1
CVE-2025-55184 vulnerable: 1
Both CVEs vulnerable: 1
Not vulnerable: 0
```

## ๐Ÿ“š Detailed Documentation

For comprehensive technical analysis of both vulnerabilities:

**[DOCUMENTATION.md](DOCUMENTATION.md)** - Complete technical documentation covering:
- Detailed vulnerability analysis for both CVEs
- Root cause explanations
- Exploitation techniques with examples
- Impact assessments
- Detection strategies
- Step-by-step remediation
- Prevention best practices
- Code samples and PoCs

## ๐Ÿ›ก๏ธ Remediation

### Immediate Actions Required

**Both vulnerabilities are fixed in the same patch versions:**

1. **Update React** to a patched version:
   ```bash
   npm install react@19.2.3 react-dom@19.2.3
   # or
   npm install react@latest react-dom@latest
   ```

2. **Update Next.js** (if applicable):
   ```bash
   npm install next@latest
   ```

3. **Verify the fix**:
   ```bash
   npm list react react-dom next
   python scanner/scan.py http://localhost:3000
   ```

### Patched Versions

| Package | Vulnerable Versions | Patched Versions |
|---------|-------------------|------------------|
| React | 19.0.0 - 19.2.2 | 19.0.3+, 19.1.4+, 19.2.3+ |
| Next.js 15.1.x | < 15.1.4 | 15.1.4+ |
| Next.js 15.0.x | < 15.0.4 | 15.0.4+ |
| Next.js 14.x | < 14.2.24 | 14.2.24+ |

### Verification After Patching

```bash
# Run scanner to confirm fixes
cd scanner
python scan.py http://your-patched-app.com

# Expected output:
# [+] CVE-2025-55183: NOT VULNERABLE
# [+] CVE-2025-55184: NOT VULNERABLE
```

## ๐Ÿ”’ Security Best Practices

### Prevent CVE-2025-55183 (Source Code Exposure)

1. **Input Validation**: Always validate Server Action inputs
2. **Never Store Secrets in Code**: Use environment variables
3. **Code Obfuscation**: Consider build-time obfuscation for sensitive logic
4. **Regular Audits**: Review Server Actions for sensitive data

### Prevent CVE-2025-55184 (DoS)

1. **Rate Limiting**: Implement request rate limits
2. **Timeouts**: Set appropriate timeouts for all async operations
3. **Health Checks**: Implement robust health monitoring
4. **Circuit Breakers**: Prevent cascading failures

### General Recommendations

- Keep React and Next.js updated
- Subscribe to security advisories
- Implement Web Application Firewall (WAF)
- Regular security scanning in CI/CD
- Incident response plan for both disclosure and DoS

## ๐Ÿค Contributing

Contributions are welcome! Areas for improvement:
- Additional test cases
- Improved detection methods
- Better exploitation examples
- Enhanced documentation

Please feel free to submit a Pull Request.

## ๐Ÿ“„ License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## ๐Ÿ”— References

### Official Advisories

- [React Security Blog](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
- [Vercel Security Bulletin](https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183)


### CVE Details

- [CVE-2025-55183 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2025-55183)
- [CVE-2025-55184 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2025-55184)

### Additional Resources

- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)
- [CWE-200: Information Exposure](https://cwe.mitre.org/data/definitions/200.html)
- [React Server Components Docs](https://react.dev/reference/rsc/server-components)

## โญ Support

If you find this repository helpful for your security research, please consider giving it a star!

## ๐Ÿ“ง Contact

- **Issues**: [GitHub Issues](https://github.com/yourusername/react-server-cve-lab/issues)
- **Security**: Please report vulnerabilities responsibly

---