## https://sploitus.com/exploit?id=A03C8B54-A4C1-5D8C-8575-8584109FB69F
# CVE-2025-55182 - React Server Components Prototype Chain Vulnerability
A local proof-of-concept (POC) for CVE-2025-55182 using the actual vulnerable code from `react-server-dom-webpack@19.0.0`.
## Vulnerability Overview
### Root Cause
In React Server Components' `requireModule()` function, module exports are accessed using bracket notation without checking `hasOwnProperty`, allowing access to prototype chain properties:
```javascript
// Vulnerable code (React 19.0.0)
return moduleExports[metadata[2]]; // Accesses prototype chain!
// Patched (React 19.2.1)
if (hasOwnProperty.call(moduleExports, metadata[2]))
return moduleExports[metadata[2]];
```
### Attack Flow
1. Attacker sends `$ACTION_REF_0` and `$ACTION_0:0` fields containing bound action metadata
2. `id: 'vm#runInThisContext'` loads the `vm` module and accesses the `runInThisContext` export
3. The `bound` array becomes arguments to the function
4. When the action is called: `runInThisContext(CODE)` executes arbitrary code
### Vulnerability Location
- **File**: `react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js`
- **Function**: `requireModule` (around line 2546)
- **Affected Versions**: react-server-dom-webpack = 19.2.0
- react-server-dom-turbopack: >= 19.2.0
- Next.js: 15.0.5+
## Disclaimer
โ ๏ธ **For security research and educational purposes only**
This POC is intended to demonstrate the vulnerability principle. Do not use for illegal purposes.