Share
## https://sploitus.com/exploit?id=FB29BEA2-A018-556E-8082-7DAA7F82E21C
# CVE-2025-55182 RSC lab (intentionally vulnerable)

Local **Docker** lab for authorized security research: **React Server Components** / **Next.js App Router** with a stack in the **CVE-2025-55182** (React2Shell) affected range.

**Use only on your own machine. Do not expose this container to the internet.**

## References

- [React β€” Critical security vulnerability in React Server Components](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [NVD β€” CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Next.js security advisories](https://nextjs.org/blog) (upgrade paths for your release line)

## What this runs

| Component | Version | Note |
|-----------|---------|------|
| **Next.js** | `15.1.0` | Pre-patch; npm warns about known issues |
| **React / react-dom** | `19.2.0` | In the affected 19.x line for this CVE |
| **RSC pipeline** | Bundled in Next | Deserialization is exercised via Next’s compiled `react-server-dom-*` |

The app is a minimal **App Router** page with one **Server Action** so `POST /` with a `Next-Action` header behaves like a real target.

## Prerequisites

- [Docker](https://docs.docker.com/get-docker/) and **Docker Compose v2**
- Docker engine running (e.g. Docker Desktop)

## Quick start

```bash
git clone https://github.com/l0lsec/cve-2025-55182-lab.git
cd cve-2025-55182-lab

# Build and run in the background
docker compose up --build -d
```

Open **http://localhost:3000** β€” you should see β€œRSC lab (intentionally vulnerable)” and a small form.

### Verify it is up

```bash
curl -sS -o /dev/null -w "%{http_code}\n" http://127.0.0.1:3000/
# expect: 200
```

### Logs

```bash
docker compose logs -f
```

### Stop

```bash
docker compose down
```

## Testing with Burp Suite

1. Set **Target** to `http://localhost:3000` (or tunnel through Burp).
2. Send **`POST /`** with **`Content-Type: multipart/form-data`** and your Flight-protocol exploit body (multipart fields `0`, `1`, `2` as in public write-ups / your templates).
3. **`Next-Action` header**
   - Try intercepting a normal form submit and copy the real `Next-Action` value from that request, **or**
   - Inspect the page HTML: the action id appears in hidden fields / RSC payload (it can **change when you rebuild** the image).

Example header shape:

```http
Next-Action: 
```

If a generic placeholder does not work, always prefer the **live** id from Proxy history after one legitimate submit.

### Sample raw requests

Ready-to-paste **`POST /`** multipart templates live in **[`burp-payloads/`](burp-payloads/)** (e.g. `id`, `whoami`, time-based `sleep`, OOB placeholders). See [`burp-payloads/README.md`](burp-payloads/README.md) for a file index. Replace **`YOUR-COLLABORATOR-HOST`** in OOB templates before sending.

## Project layout

```
.
β”œβ”€β”€ Dockerfile              # Multi-stage build, Next standalone, port 3000
β”œβ”€β”€ docker-compose.yml      # Maps host 3000 β†’ container 3000
β”œβ”€β”€ burp-payloads/          # Raw *.http for Burp Repeater + index README
β”œβ”€β”€ app/
β”‚   β”œβ”€β”€ layout.tsx
β”‚   └── page.tsx            # Server Action + lab UI
β”œβ”€β”€ public/
β”œβ”€β”€ package.json
β”œβ”€β”€ package-lock.json
└── next.config.ts          # output: "standalone"
```

## Development (without Docker)

```bash
npm install
npm run dev
# http://localhost:3000
```

For CVE reproduction, prefer the **Docker** image so the stack matches the pinned vulnerable dependencies.

## After you are done testing

- **Destroy** the container and image if you no longer need them.
- **Upgrade** any real apps to patched Next.js / React per vendor guidance β€” this repo is **not** a secure baseline.

## License

Educational / lab use only. You are responsible for complying with laws and policies where you operate. No warranty.