CVE-2025-55182 React Server Components Remote Code Execution... #1636
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://github.com/Spritualkb/CVE-2025-55182-exp Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> NextJS (or, alternatively, Pentesting Web -> NodeJS Express / Prototype Pollution & Deserialization) with a subsection on "React Server Components Flight protocol deserialization RCE (CVE-2025-55182)"". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title: CVE-2025-55182 React Server Components Remote Code Execution Exploit Tool
This repository contains a Python-based exploit framework for CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability in React Server Components (RSC) affecting Next.js App Router deployments that use Server Actions and
react-server-dom-webpackversions19.0.0–19.2.0(Next.js15.xan...🔧 Technical Details
Prototype pollution via RSC Flight protocol references
The technique relies on RSC’s Flight protocol treating strings starting with
$as object-reference paths. By assigning"then": "$1:__proto__:then"in a Flight payload, the deserializer writes athenproperty intoObject.prototypethrough__proto__. This prototype pollution converts many otherwise benign objects into thenables, altering how asynchronous or promise-based framework code handles them and enabling attacker-controlled code paths.Escalating a polluted reference into the Function constructor
The exploit generalizes a common prototype-chain trick:
object.constructorusually yieldsObject, andObject.constructoris the globalFunctionconstructor. By placing a value like"$1:constructor:constructor"in a deserialized structure (e.g., assi...🤖 Agent Actions
Summary:
src/network-services-pentesting/pentesting-web/nextjs.mdwith a new section covering CVE-2025-55182 React Server Components Flight protocol deserialization RCE, including the prototype-pollution-to-Function attack chain, payload structure, exploitation workflow, OPSEC options, and hardening guidance.Testing:
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.