Share
## https://sploitus.com/exploit?id=A1B7FB84-AFCF-5683-8C9F-781D7D3D229E
# CVE-2025-55183-poc – Next.js React Server Components Server Function Source Code Disclosure

This repository contains detection tooling for a source code disclosure vulnerability
in **Next.js React Server Components (RSC)** / **Server Actions**, tracked as
`CVE-2025-55183`.

In vulnerable applications, a crafted HTTP request to a Server Function can
cause the server to **return the full JavaScript source code** of that function
when the reference is stringified (for example, via template literals or
implicit coercion in database queries).

React's fix adds a `toString()` override for server references that returns a
constant placeholder string instead of the real function body. Applications
running older builds may still leak source code if server references are
directly or indirectly stringified and reflected back to the client.

> ⚠️ **Legal notice:**  
> These tools are for security testing and research on systems you own or are
> explicitly authorized to test. Unauthorized scanning or exploitation may be
> illegal.

---

## Repository contents

- `CVE-2025-55183.yaml`  
  Nuclei template that:
  1. Discovers `_next/static/chunks/*.js` files
  2. Extracts candidate server action IDs from those chunks
  3. Sends RSC requests targeting each action
  4. Flags responses that appear to contain server function source code

---

## Vulnerability summary

- **ID:** CVE-2025-55183  
- **Component:** React Server Components / Server Actions in Next.js apps  
- **Impact:** Server-side JavaScript source code disclosure  
- **Root cause:**  
  Server references (Server Functions) did not override `toString()`. When such
  a reference was passed as an argument to code that coerced it to a string, its
  full source code could be returned to the client (for example, via an error
  path, logging, or query-building logic).

- **Fix (upstream):**
  React now installs a `toString` descriptor on server references that returns a
  constant placeholder such as:

```js
  function () { [omitted code] }
````

This prevents real function bodies from being exposed even if stringified.

For details on the underlying React changes, see:

* React commit: `894bc73cb493487c48d57f4508e6278db58e673a`
* React blog: “Denial of service and source code exposure in React Server Components”

---

## Detection with Nuclei

### Requirements

* [Nuclei](https://github.com/projectdiscovery/nuclei) v3+
* Network access to the target Next.js app