Share
## https://sploitus.com/exploit?id=F71C05F6-A22C-5A29-B8EB-39C074BA981F
# CVE-2025-55182 Lab β React Server Components RCE
[](docker-compose.yml)
[](LICENSE)
[](https://react.dev/blog/2025/12/03/react-server-components-security-update)
Educational lab demonstrating **CVE-2025-55182** β a critical (CVSS 10.0) Remote Code Execution vulnerability in React Server Components caused by prototype pollution in the Flight protocol deserializer.
> **Disclaimer:** This repository is for **educational and authorized security research purposes only**. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse of this material. Only use against systems you own or have explicit written permission to test. By using this code, you agree that you are responsible for your own actions.
---
## Quick Start
```bash
# 1. Clone
git clone https://github.com/Jeanback1/react-rsc-cve-2025-55182-lab.git
cd react-rsc-cve-2025-55182-lab
# 2. Start the lab (vulnerable + patched instances)
docker compose up -d
# Wait ~2 minutes for both containers to build and start.
# 3. Exploit the vulnerable instance
python exploit/exploit.py http://localhost:3011 id
# 4. Try the same against the patched instance β it fails
python exploit/exploit.py http://localhost:3012 id
```
## Lab Architecture
```
docker compose
ββββββββββββββββββββββββββββββββββ
β β
attacker βββββΆβ :3011 β rsc-lab-vulnerable β React 19.2.0
β (Server Action) β β exploitable
β β
β :3012 β rsc-lab-patched β React 19.2.1
β (no Server Action) β β patched
ββββββββββββββββββββββββββββββββββ
```
| Container | Port | React Version | Server Action | Vulnerable? |
|-----------|------|---------------|---------------|-------------|
| `rsc-lab-vulnerable` | 3011 | 19.2.0 | Yes | **Yes** |
| `rsc-lab-patched` | 3012 | 19.2.1 | No | No |
## Requirements
- **Docker** + Docker Compose v2
- **Python 3.8+** with `requests` (`pip install requests`)
## Files
```
βββ docker-compose.yml # Lab orchestration
βββ README.md # This file
βββ LICENSE
β
βββ vulnerable/ # Vulnerable Next.js app
β βββ Dockerfile
β βββ package.json # react@19.2.0, next@15.4.0
β βββ app/
β βββ layout.tsx
β βββ page.tsx # Server Component + Server Action
β βββ actions.ts # 'use server' β the attack surface
β
βββ patched/ # Patched Next.js app
β βββ Dockerfile
β βββ package.json # react@19.2.1, next@15.4.8
β βββ app/
β βββ layout.tsx
β βββ page.tsx # Server Component only (no Server Actions)
β
βββ exploit/
β βββ exploit.py # Educational RCE exploit (well-commented)
β βββ requirements.txt
β βββ pyproject.toml
β
βββ docs/
βββ CVE-2025-55182.md # Full technical analysis
```
## Exploit Usage
```bash
# Single command execution
python exploit/exploit.py
# Examples
python exploit/exploit.py http://localhost:3011 id
python exploit/exploit.py http://localhost:3011 "cat /etc/passwd"
python exploit/exploit.py http://localhost:3011 "ls -la /app"
```
The exploit works in three stages:
1. **Build** a Flight payload with `__proto__` traversal β pollute `Object.prototype.then`
2. **Send** the payload as `multipart/form-data` via the Server Action endpoint
3. **Extract** command output from the `X-Action-Redirect` response header (base64-encoded)
## Affected Versions
| Package | Vulnerable | Patched |
|---------|-----------|---------|
| `react` | β€ 19.2.0 | β₯ 19.2.1 |
| `react-dom` | β€ 19.2.0 | β₯ 19.2.1 |
| `react-server-dom-webpack` | β€ 19.2.0 | β₯ 19.2.1 |
## Technical Deep Dive
See [`docs/CVE-2025-55182.md`](docs/CVE-2025-55182.md) for a full walkthrough:
- How the Flight protocol works
- Why `__proto__` traversal is dangerous
- Step-by-step exploit chain
- Detection and mitigation strategies
## References
- [React Security Advisory β December 2025](https://react.dev/blog/2025/12/03/react-server-components-security-update)
- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)
- [Next.js Server Actions](https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations)