## https://sploitus.com/exploit?id=A3E6A781-5531-5CC6-83CA-254A85323C37
# CVE-2025-55182 - Next.js/React Server Components Remote Code Execution
## Overview
This repository contains a Proof-of-Concept (PoC) exploit for CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability affecting React Server Components in React versions 19.x and Next.js versions 15.x and 16.x when using the App Router. The vulnerability has a CVSS score of 10.0, representing a severe risk.
## Vulnerability Description
The core of the vulnerability lies in the improper handling of deserialization within React Server Components. Specifically, the exploit leverages the `@` deserialization to manipulate a Chunk object and hijack its `then` property. By setting the `status` to `RESOLVED_MODEL`, the `initializeModelChunk` function is called with a fake chunk entirely controlled by the attacker. This allows manipulation of the `_response` object, ultimately leading to arbitrary code execution.
The exploit targets the Blob deserialization process, specifically the `response._formData.get` call, to inject attacker-controlled code that is then executed.
## Proof-of-Concept (PoC)
The `exploit.py` script provides a PoC that demonstrates the vulnerability. It crafts a malicious payload that manipulates the deserialization process to execute a command on the target server.
## How it Works:
1. **`@` Deserialization:** The exploit uses the `@` deserialization mechanism to gain control of a Chunk object.
2. **Hijacking `Chunk.prototype.then`:** The `then` property of the Chunk prototype is overwritten, so when the chunk is awaited/resolved, attacker controlled code will be called.
3. **`RESOLVED_MODEL` Status:** Setting the chunk `status` to `RESOLVED_MODEL` triggers the `initializeModelChunk` function, which interacts with the attacker-controlled `_response` object.
4. **`_formData.get` Manipulation:** The exploit manipulates `response._formData.get` to return a function with attacker-controlled code. This function is then executed.
## Prerequisites
* **Python 3:** The PoC script is written in Python 3.
* **Library:** Install the library using `pip install -r requirements.txt`.
* **Target Server:** A vulnerable Next.js (16.0.6) application running with the App Router.
## Usage
1. **Save the script:** Save the provided Python code as `exploit.py`.
2. **Run the script:** Execute the script from the command line, providing the target URL and the command to execute as arguments:
```bash
python exploit.py
```
For example:
```bash
python exploit.py http://localhost:3000 "ls -l"
```
## Demonstration

## Disclaimer
This PoC is provided "as is" without any warranty. The author is not responsible for any misuse or damage caused by this script. Use it at your own risk.