RSC Report Lab – CVE-2025-55182 (React 19.2.0)

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/ghe770mvp/RSC_Vuln_Lab
• Blog Title: RSC Report Lab – CVE-2025-55182 (React 19.2.0)
• Suggested Section: Pentesting Web > Deserialization (new subsection: "React Server Components / react-server-dom-webpack Server Actions Abuse") or cross-linked example under Pentesting Web > Command Injection.

🎯 Content Summary

This repository is a deliberately vulnerable React Server Components (RSC) lab that demonstrates remote code execution (RCE) via a vulnerable version of react-server-dom-webpack (RSDW) 19.2.0, associated with CVE-2025-55182, combined with a realistic server-side command execution gadget built on child_process.exec.

Stack and vulnerable components
The lab runs on:

• Node.js 20+
• react 19.2.0
• react...

  🔧 Technical Details

  Abusing React Server Actions deserialization in react-server-dom-webpack
  React Server Components with react-server-dom-webpack allow clients to trigger server actions by sending multipart/form-data POST requests that contain special parts like $ACTION_REF_0 and $ACTION_0:0. The $ACTION_0:0 part holds JSON such as {"id":"module-path#exportName","bound":[arg0,arg1,...]}. In vulnerable versions (e.g. RSDW 19.2.0, CVE-2025-55182), decodeAction trusts the id and bound fields: it resolves id to an exported server function and calls it with bound as arguments without extra validation. An attacker who can craft these multipart payloads can directly select any exported server action (e.g. app/server-actions#generateReport) and fully control its parameters, turning any unsafe action into a remotely exploitable gadget.

  
  ...

  🤖 Agent Actions

  Summary:

  • Added a new React Server Components / react-server-dom-webpack section inside the deserialization guide explaining how CVE-2025-55182 lets attackers craft $ACTION_* multipart payloads that decodeAction blindly trusts, including protocol details, PoC HTTP/curl requests, and the Node.js command-execution gadget pattern.
  • Documented defensive measures (upgrading React/RSDW, enforcing allow-lists and auth, validating bound arguments, and avoiding child_process.exec concatenation) plus emphasized that no real React client is needed for exploitation.
  • Updated the references list to cite the RSC Report Lab repository used for these details.

  Testing:

  • Not run (not requested).

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/ghe770mvp/RSC_Vuln_Lab

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web > Deserialization (new subsection: "React Server Components / react-server-dom-webpack Server Actions Abuse") or cross-linked example under Pentesting Web > Command Injection.".

Repository Maintenance:

• MD Files Formatting: 914 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0