Share
## https://sploitus.com/exploit?id=A3E6A781-5531-5CC6-83CA-254A85323C37
# CVE-2025-55182 - Next.js/React Server Components Remote Code Execution

## Overview

This repository contains a Proof-of-Concept (PoC) exploit for CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability affecting React Server Components in React versions 19.x and Next.js versions 15.x and 16.x when using the App Router.  The vulnerability has a CVSS score of 10.0, representing a severe risk.

## Vulnerability Description

The core of the vulnerability lies in the improper handling of deserialization within React Server Components.  Specifically, the exploit leverages the `@` deserialization to manipulate a Chunk object and hijack its `then` property. By setting the `status` to `RESOLVED_MODEL`, the `initializeModelChunk` function is called with a fake chunk entirely controlled by the attacker. This allows manipulation of the `_response` object, ultimately leading to arbitrary code execution.

The exploit targets the Blob deserialization process, specifically the `response._formData.get` call, to inject attacker-controlled code that is then executed.

## Proof-of-Concept (PoC)

The `exploit.py` script provides a PoC that demonstrates the vulnerability. It crafts a malicious payload that manipulates the deserialization process to execute a command on the target server.

## How it Works:

1. **`@` Deserialization:** The exploit uses the `@` deserialization mechanism to gain control of a Chunk object.
2. **Hijacking `Chunk.prototype.then`:**  The `then` property of the Chunk prototype is overwritten, so when the chunk is awaited/resolved, attacker controlled code will be called.
3. **`RESOLVED_MODEL` Status:** Setting the chunk `status` to `RESOLVED_MODEL` triggers the `initializeModelChunk` function, which interacts with the attacker-controlled `_response` object.
4. **`_formData.get` Manipulation:**  The exploit manipulates `response._formData.get` to return a function with attacker-controlled code.  This function is then executed.

## Prerequisites

* **Python 3:**  The PoC script is written in Python 3.
* **Library:**  Install the library using `pip install -r requirements.txt`.
* **Target Server:** A vulnerable Next.js (16.0.6) application running with the App Router.

## Usage

1. **Save the script:** Save the provided Python code as `exploit.py`.
2. **Run the script:** Execute the script from the command line, providing the target URL and the command to execute as arguments:

   ```bash
   python exploit.py  
   ```

   For example:

   ```bash
   python exploit.py http://localhost:3000 "ls -l"
   ```

## Demonstration

![demo](images/demo.png)

## Disclaimer

This PoC is provided "as is" without any warranty. The author is not responsible for any misuse or damage caused by this script. Use it at your own risk.