## https://sploitus.com/exploit?id=FB29BEA2-A018-556E-8082-7DAA7F82E21C
# CVE-2025-55182 RSC lab (intentionally vulnerable)
Local **Docker** lab for authorized security research: **React Server Components** / **Next.js App Router** with a stack in the **CVE-2025-55182** (React2Shell) affected range.
**Use only on your own machine. Do not expose this container to the internet.**
## References
- [React β Critical security vulnerability in React Server Components](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [NVD β CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Next.js security advisories](https://nextjs.org/blog) (upgrade paths for your release line)
## What this runs
| Component | Version | Note |
|-----------|---------|------|
| **Next.js** | `15.1.0` | Pre-patch; npm warns about known issues |
| **React / react-dom** | `19.2.0` | In the affected 19.x line for this CVE |
| **RSC pipeline** | Bundled in Next | Deserialization is exercised via Nextβs compiled `react-server-dom-*` |
The app is a minimal **App Router** page with one **Server Action** so `POST /` with a `Next-Action` header behaves like a real target.
## Prerequisites
- [Docker](https://docs.docker.com/get-docker/) and **Docker Compose v2**
- Docker engine running (e.g. Docker Desktop)
## Quick start
```bash
git clone https://github.com/l0lsec/cve-2025-55182-lab.git
cd cve-2025-55182-lab
# Build and run in the background
docker compose up --build -d
```
Open **http://localhost:3000** β you should see βRSC lab (intentionally vulnerable)β and a small form.
### Verify it is up
```bash
curl -sS -o /dev/null -w "%{http_code}\n" http://127.0.0.1:3000/
# expect: 200
```
### Logs
```bash
docker compose logs -f
```
### Stop
```bash
docker compose down
```
## Testing with Burp Suite
1. Set **Target** to `http://localhost:3000` (or tunnel through Burp).
2. Send **`POST /`** with **`Content-Type: multipart/form-data`** and your Flight-protocol exploit body (multipart fields `0`, `1`, `2` as in public write-ups / your templates).
3. **`Next-Action` header**
- Try intercepting a normal form submit and copy the real `Next-Action` value from that request, **or**
- Inspect the page HTML: the action id appears in hidden fields / RSC payload (it can **change when you rebuild** the image).
Example header shape:
```http
Next-Action:
```
If a generic placeholder does not work, always prefer the **live** id from Proxy history after one legitimate submit.
### Sample raw requests
Ready-to-paste **`POST /`** multipart templates live in **[`burp-payloads/`](burp-payloads/)** (e.g. `id`, `whoami`, time-based `sleep`, OOB placeholders). See [`burp-payloads/README.md`](burp-payloads/README.md) for a file index. Replace **`YOUR-COLLABORATOR-HOST`** in OOB templates before sending.
## Project layout
```
.
βββ Dockerfile # Multi-stage build, Next standalone, port 3000
βββ docker-compose.yml # Maps host 3000 β container 3000
βββ burp-payloads/ # Raw *.http for Burp Repeater + index README
βββ app/
β βββ layout.tsx
β βββ page.tsx # Server Action + lab UI
βββ public/
βββ package.json
βββ package-lock.json
βββ next.config.ts # output: "standalone"
```
## Development (without Docker)
```bash
npm install
npm run dev
# http://localhost:3000
```
For CVE reproduction, prefer the **Docker** image so the stack matches the pinned vulnerable dependencies.
## After you are done testing
- **Destroy** the container and image if you no longer need them.
- **Upgrade** any real apps to patched Next.js / React per vendor guidance β this repo is **not** a secure baseline.
## License
Educational / lab use only. You are responsible for complying with laws and policies where you operate. No warranty.