Share
## https://sploitus.com/exploit?id=67481DBF-B1BF-5637-A169-CAB50599197D
## Hunting for CVE-2025-55182

### Using Open Source Intelligence to Identify Vulnerable (Shodan Search Engine)

- Go to [Shodan](https://www.shodan.io/).
- In the search bar, enter the following query to find devices running the vulnerable version of the Next.js framework:

  ```
  http.component:"Next.js" 200
  ```

![alt text]({53DEAC34-1CFC-458A-BBD5-7DCA682D15E9}.png)

- Download in the terminal the results of the search using the Shodan CLI:

  ```bash
  shodan download nextjs_vuln "http.component:'Next.js' 200"
  ```

![alt text]({71E2295B-7A7A-4057-A28D-24B960635DCE}.png)

- Filter the results to identify domains, ips are running the vulnerable version of Next.js:

  ```bash
  shodan parse --fields ip_str nextjs_data.json.gz > ips.txt
  shodan parse --fields hostnames nextjs_data.json.gz > domains.txt
  ```

### Verifying Vulnerability (Using this PoC scanner script [react2shell-scanner](https://github.com/assetnote/react2shell-scanner))

![alt text](image.png)

### PoC Exploit

- I created a simple PoC exploit to demonstrate the vulnerability. You can find it [here](/poc.py).

![alt text](image-1.png)

- Using `nuclei` to scan for the vulnerability:

  ```bash
  cat domains.txt | nuclei -t ./nuclei-templates/http/cves/2025/CVE-2025-55182.yaml
  ```

![alt text](image-2.png)

### References
- https://react.dev/reference/rsc/server-functions 

- https://tonyalicea.dev/blog/understanding-react-server-components/ 

- https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d 

- https://developer.mozilla.org/en-US/docs/Learn_web_development/Extensions/Advanced_JavaScript_objects/Object_prototypes 

- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function 

- https://x.com/maple3142