## https://sploitus.com/exploit?id=B9DC128D-977D-5CA9-AC5F-C716976F1821
# CVE-2025-55182 โ React2Shell RCE
## Summary
Remote Code Execution achieved via the Next.js React Server Components (Flight) request parser. Malformed multipart payloads allow prototype pollution through the `then:$1:__proto__:then` gadget chain, abusing Server Action deserialization to traverse into `constructor.constructor` and run arbitrary Node JS code.
This vector requires a valid `Next-Action` identifier (leaked from browser network traffic or client bundles). Once supplied, the payload executes server-side with the privilege of the Node runtime.
Execution is unstable. Most shells result in server crash following exploitation. This is a one-shot foothold window, not persistent. Treat as smash-and-grab.
## Technical Notes
- - Vulnerable stack confirmed: Next.js 15.0.0-rc.0 (Node18)
- Attack path: Flight multipart injection โ prototype pollution โ child_process โ RCE
- Payload wrapped in Base64 to prevent parser breakage
- `$@0` chunk reference avoids early desync failures
- Reverse shell delivered to listener on successful execution
- Process often hangs or dies post-exec; persistence must be immediate
## Workflow
1. 1. Open browser devtools, intercept a legitimate Server Action call
2. Extract `Next-Action` token
3. Configure exploit with LHOST, LPORT
4. Start listener
```
nc -lvnp 4444
```
1. 5. Execute
```
python3 exploit_pwn.py targets.txt
```
1. 6. If shell appears, establish persistence immediately. The runtime often degrades or terminates shortly after code execution due to global prototype corruption.
## Notes for Field Use
- - Attack vector is reliable in triggering prototype overwrite
- Execution success varies depending on environment and runtime checks
- This functions as an execution primitive; reliability work is ongoing
- Ideal follow-up for stable persistence: file dropper or system-level outbound connection
- Recommended future work: migrate away from `process.mainModule` for Node20+runtimes, explore import('node:child_process') fallback, multi-stage delayed execution