Share
## https://sploitus.com/exploit?id=DCBECCC5-994C-5449-AF69-C81F848318D6
# Vulnerable Next.js RSC Application - CVE-2025-55182

โš ๏ธ **WARNING: This application is intentionally vulnerable for educational and security research purposes only. DO NOT deploy to production or expose to the internet.**

## Overview

This is a vulnerable Next.js application that demonstrates **CVE-2025-55182**, a critical Remote Code Execution vulnerability in React Server Components. The application is designed to look like a professional cloud hosting dashboard while being intentionally vulnerable for security testing and educational purposes.

**CVE Details:**
- **CVE ID:** CVE-2025-55182
- **Severity:** Critical (CVSS 9.5)
- **Affected Versions:** React 19.0.0, 19.1.0, 19.1.1, 19.2.0
- **Impact:** Unauthenticated remote code execution via unsafe deserialization
- **Reference:** [ProjectDiscovery CVE-2025-55182](https://cloud.projectdiscovery.io/library/CVE-2025-55182)

## ๐ŸŽฏ Features

- **Vulnerable React 19.0.0** - Uses the vulnerable version of React Server Components
- **Professional UI** - Cloud hosting dashboard interface
- **Server Actions** - Demonstrates the vulnerable server action endpoint
- **Exploit Script** - Included `curl_id.sh` for testing the vulnerability

## ๐Ÿ“‹ Requirements

- Node.js 18+ 
- npm or yarn
- Python 3.9+ (for react2shell-scanner, optional)

## ๐Ÿš€ Setup

1. **Install dependencies:**
```bash
npm install --legacy-peer-deps
```

2. **Run the development server:**
```bash
npm run dev
```

The application will be available at `http://localhost:3000`

## ๐Ÿงช Testing the Vulnerability

### Method 1: Using the Included Exploit Script

The repository includes `curl_id.sh`, a command-line tool based on the [Nuclei template](https://cloud.projectdiscovery.io/library/CVE-2025-55182) for exploiting CVE-2025-55182.

**Usage:**
```bash
# Execute id command (default)
./curl_id.sh -d localhost:3000 -c id

# Execute custom commands
./curl_id.sh -d localhost:3000 -c "whoami"
./curl_id.sh -d localhost:3000 -c "uname -a"
./curl_id.sh -d localhost:3000 -c "ls -la /tmp"

# Test remote domains (if vulnerable)
./curl_id.sh -d vulnapp.com -c id
```

**Options:**
- `-d, --domain`: Target domain/URL (default: http://localhost:3000)
- `-c, --command`: Command to execute (default: id)

### Method 2: Using react2shell-scanner

1. **Clone the scanner tool:**
```bash
git clone https://github.com/assetnote/react2shell-scanner.git
cd react2shell-scanner
pip install -r requirements.txt
```

2. **Run the scanner:**
```bash
python3 scanner.py -u http://localhost:3000
```

3. **Use safe check mode (no RCE execution):**
```bash
python3 scanner.py -u http://localhost:3000 --safe-check
```

### Method 3: Manual Testing

The vulnerability can be exploited by sending a crafted multipart POST request to the server with:
- `Next-Action: x` header
- `X-Nextjs-Request-Id` header
- `X-Nextjs-Html-Request-Id` header
- A malicious multipart form payload that exploits the deserialization vulnerability

See the [react2shell-scanner](https://github.com/assetnote/react2shell-scanner) repository for the exact payload structure.

## ๐Ÿ” How It Works

The vulnerability exists in React Server Components' deserialization mechanism. When Next.js processes server actions, it deserializes the request payload. The vulnerable versions of React (19.0.0-19.2.0) do not properly validate or sanitize the deserialized data, allowing attackers to:

1. **Craft malicious payloads** that exploit prototype pollution
2. **Execute arbitrary code** on the server via `process.mainModule.require('child_process').execSync()`
3. **Achieve remote code execution** without authentication
4. **Retrieve command output** in the `X-Action-Redirect` response header

### Technical Details

The exploit uses a prototype pollution attack in the JSON deserialization process. The payload structure includes:
- A `then` property that pollutes the prototype chain
- A `_response` object with a `_prefix` field containing JavaScript code
- The code executes via `execSync()` and redirects output to the response header

## ๐Ÿ›ก๏ธ Remediation

To fix this vulnerability:

1. **Update React** to version 19.2.1 or later:
```bash
npm install react@latest react-dom@latest
```

2. **Update Next.js** to the latest version:
```bash
npm install next@latest
```

3. **Review and update** all dependencies:
```bash
npm audit fix
```

4. **Verify** the fix by running the scanner again - it should no longer detect the vulnerability

## ๐Ÿ“ Project Structure

```
vuln-app-CVE-2025-55182/
โ”œโ”€โ”€ app/
โ”‚   โ”œโ”€โ”€ actions.ts          # Vulnerable server action
โ”‚   โ”œโ”€โ”€ layout.tsx          # Root layout
โ”‚   โ””โ”€โ”€ page.tsx            # Main dashboard page
โ”œโ”€โ”€ node_modules/           # Dependencies
โ”œโ”€โ”€ curl_id.sh              # Exploit script for testing
โ”œโ”€โ”€ package.json            # Project dependencies (vulnerable versions)
โ”œโ”€โ”€ tsconfig.json           # TypeScript configuration
โ”œโ”€โ”€ next.config.js          # Next.js configuration
โ”œโ”€โ”€ .gitignore              # Git ignore rules
โ””โ”€โ”€ README.md               # This file
```

## ๐Ÿ“š References

- [CVE-2025-55182 Details](https://cloud.projectdiscovery.io/library/CVE-2025-55182)
- [react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
- [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [Next.js Security Advisory](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp)
- [Vercel Changelog](https://vercel.com/changelog/cve-2025-55182)
- [Original PoC by maple3142](https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3)

## โš–๏ธ Legal Disclaimer

This application is created **solely for security research and educational purposes**. 

- **DO NOT** use this application in production environments
- **DO NOT** deploy this application to public servers
- **DO NOT** use this to attack systems without explicit authorization
- **DO** use this only in isolated, controlled environments for learning

The authors and contributors are not responsible for any misuse of this code. Unauthorized access to computer systems is illegal and may result in criminal prosecution.

## ๐Ÿค Contributing

This is an educational repository. Contributions that improve documentation, add better examples, or enhance the educational value are welcome.

## ๐Ÿ“ License

This project is provided for educational purposes. Use at your own risk.

## ๐Ÿ™ Credits

- **Assetnote Security Research Team** - Original vulnerability research and scanner tool
- **maple3142** - Original RCE PoC disclosure
- **xEHLE_** - RCE output reflection in response header
- **Nagli** - Additional research contributions
- **ProjectDiscovery** - Nuclei template for detection

---

**Remember:** This is a vulnerable application. Use responsibly and only in controlled environments for security research and education.