Share
## https://sploitus.com/exploit?id=F71C05F6-A22C-5A29-B8EB-39C074BA981F
# CVE-2025-55182 Lab β€” React Server Components RCE

[![Docker](https://img.shields.io/badge/docker-compose-blue)](docker-compose.yml)
[![License](https://img.shields.io/badge/license-MIT-green)](LICENSE)
[![CVE](https://img.shields.io/badge/CVE-2025--55182-red)](https://react.dev/blog/2025/12/03/react-server-components-security-update)

Educational lab demonstrating **CVE-2025-55182** β€” a critical (CVSS 10.0) Remote Code Execution vulnerability in React Server Components caused by prototype pollution in the Flight protocol deserializer.

> **Disclaimer:** This repository is for **educational and authorized security research purposes only**. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse of this material. Only use against systems you own or have explicit written permission to test. By using this code, you agree that you are responsible for your own actions.

---

## Quick Start

```bash
# 1. Clone
git clone https://github.com/Jeanback1/react-rsc-cve-2025-55182-lab.git
cd react-rsc-cve-2025-55182-lab

# 2. Start the lab (vulnerable + patched instances)
docker compose up -d

# Wait ~2 minutes for both containers to build and start.

# 3. Exploit the vulnerable instance
python exploit/exploit.py http://localhost:3011 id

# 4. Try the same against the patched instance β€” it fails
python exploit/exploit.py http://localhost:3012 id
```

## Lab Architecture

```
                  docker compose
                 β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                 β”‚                                β”‚
   attacker ────▢│  :3011 β†’ rsc-lab-vulnerable    β”‚  React 19.2.0
                 β”‚           (Server Action)       β”‚  ← exploitable
                 β”‚                                β”‚
                 β”‚  :3012 β†’ rsc-lab-patched        β”‚  React 19.2.1
                 β”‚           (no Server Action)    β”‚  ← patched
                 β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

| Container | Port | React Version | Server Action | Vulnerable? |
|-----------|------|---------------|---------------|-------------|
| `rsc-lab-vulnerable` | 3011 | 19.2.0 | Yes | **Yes** |
| `rsc-lab-patched` | 3012 | 19.2.1 | No | No |

## Requirements

- **Docker** + Docker Compose v2
- **Python 3.8+** with `requests` (`pip install requests`)

## Files

```
β”œβ”€β”€ docker-compose.yml        # Lab orchestration
β”œβ”€β”€ README.md                 # This file
β”œβ”€β”€ LICENSE
β”‚
β”œβ”€β”€ vulnerable/               # Vulnerable Next.js app
β”‚   β”œβ”€β”€ Dockerfile
β”‚   β”œβ”€β”€ package.json          # react@19.2.0, next@15.4.0
β”‚   └── app/
β”‚       β”œβ”€β”€ layout.tsx
β”‚       β”œβ”€β”€ page.tsx          # Server Component + Server Action
β”‚       └── actions.ts        # 'use server' β€” the attack surface
β”‚
β”œβ”€β”€ patched/                  # Patched Next.js app
β”‚   β”œβ”€β”€ Dockerfile
β”‚   β”œβ”€β”€ package.json          # react@19.2.1, next@15.4.8
β”‚   └── app/
β”‚       β”œβ”€β”€ layout.tsx
β”‚       └── page.tsx          # Server Component only (no Server Actions)
β”‚
β”œβ”€β”€ exploit/
β”‚   β”œβ”€β”€ exploit.py            # Educational RCE exploit (well-commented)
β”‚   β”œβ”€β”€ requirements.txt
β”‚   └── pyproject.toml
β”‚
└── docs/
    └── CVE-2025-55182.md     # Full technical analysis
```

## Exploit Usage

```bash
# Single command execution
python exploit/exploit.py  

# Examples
python exploit/exploit.py http://localhost:3011 id
python exploit/exploit.py http://localhost:3011 "cat /etc/passwd"
python exploit/exploit.py http://localhost:3011 "ls -la /app"
```

The exploit works in three stages:
1. **Build** a Flight payload with `__proto__` traversal β†’ pollute `Object.prototype.then`
2. **Send** the payload as `multipart/form-data` via the Server Action endpoint
3. **Extract** command output from the `X-Action-Redirect` response header (base64-encoded)

## Affected Versions

| Package | Vulnerable | Patched |
|---------|-----------|---------|
| `react` | ≀ 19.2.0 | β‰₯ 19.2.1 |
| `react-dom` | ≀ 19.2.0 | β‰₯ 19.2.1 |
| `react-server-dom-webpack` | ≀ 19.2.0 | β‰₯ 19.2.1 |

## Technical Deep Dive

See [`docs/CVE-2025-55182.md`](docs/CVE-2025-55182.md) for a full walkthrough:

- How the Flight protocol works
- Why `__proto__` traversal is dangerous
- Step-by-step exploit chain
- Detection and mitigation strategies

## References

- [React Security Advisory β€” December 2025](https://react.dev/blog/2025/12/03/react-server-components-security-update)
- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)
- [Next.js Server Actions](https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations)