Share
## https://sploitus.com/exploit?id=B9DC128D-977D-5CA9-AC5F-C716976F1821
# CVE-2025-55182 โ€“ React2Shell RCE

## Summary

Remote Code Execution achieved via the Next.js React Server Components (Flight) request parser. Malformed multipart payloads allow prototype pollution through the `then:$1:__proto__:then` gadget chain, abusing Server Action deserialization to traverse into `constructor.constructor` and run arbitrary Node JS code.

This vector requires a valid `Next-Action` identifier (leaked from browser network traffic or client bundles). Once supplied, the payload executes server-side with the privilege of the Node runtime.

Execution is unstable. Most shells result in server crash following exploitation. This is a one-shot foothold window, not persistent. Treat as smash-and-grab.

## Technical Notes

- - Vulnerable stack confirmed: Next.js 15.0.0-rc.0 (Node18)
        
    - Attack path: Flight multipart injection โ†’ prototype pollution โ†’ child_process โ†’ RCE
        
    - Payload wrapped in Base64 to prevent parser breakage
        
    - `$@0` chunk reference avoids early desync failures
        
    - Reverse shell delivered to listener on successful execution
        
    - Process often hangs or dies post-exec; persistence must be immediate
        
## Workflow

1.  1.  Open browser devtools, intercept a legitimate Server Action call
        
    2.  Extract `Next-Action` token
        
    3.  Configure exploit with LHOST, LPORT
        
    4.  Start listener
        

```
nc -lvnp 4444
```

1.  5.  Execute

```
python3 exploit_pwn.py targets.txt
```

1.  6.  If shell appears, establish persistence immediately. The runtime often degrades or terminates shortly after code execution due to global prototype corruption.

## Notes for Field Use

- - Attack vector is reliable in triggering prototype overwrite
        
    - Execution success varies depending on environment and runtime checks
        
    - This functions as an execution primitive; reliability work is ongoing
        
    - Ideal follow-up for stable persistence: file dropper or system-level outbound connection
        
    - Recommended future work: migrate away from `process.mainModule` for Node20+runtimes, explore import('node:child_process') fallback, multi-stage delayed execution