Share
## https://sploitus.com/exploit?id=A03C8B54-A4C1-5D8C-8575-8584109FB69F
# CVE-2025-55182 - React Server Components Prototype Chain Vulnerability

A local proof-of-concept (POC) for CVE-2025-55182 using the actual vulnerable code from `react-server-dom-webpack@19.0.0`.

## Vulnerability Overview

### Root Cause

In React Server Components' `requireModule()` function, module exports are accessed using bracket notation without checking `hasOwnProperty`, allowing access to prototype chain properties:

```javascript
// Vulnerable code (React 19.0.0)
return moduleExports[metadata[2]];  // Accesses prototype chain!

// Patched (React 19.2.1)
if (hasOwnProperty.call(moduleExports, metadata[2]))
  return moduleExports[metadata[2]];
```

### Attack Flow

1. Attacker sends `$ACTION_REF_0` and `$ACTION_0:0` fields containing bound action metadata
2. `id: 'vm#runInThisContext'` loads the `vm` module and accesses the `runInThisContext` export
3. The `bound` array becomes arguments to the function
4. When the action is called: `runInThisContext(CODE)` executes arbitrary code

### Vulnerability Location

- **File**: `react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js`
- **Function**: `requireModule` (around line 2546)
- **Affected Versions**: react-server-dom-webpack = 19.2.0
- react-server-dom-turbopack: >= 19.2.0
- Next.js: 15.0.5+

## Disclaimer

โš ๏ธ **For security research and educational purposes only**

This POC is intended to demonstrate the vulnerability principle. Do not use for illegal purposes.