themadarchitect · December 14, 2025 19:32
diff --git a/react2shell.yaml b/react2shell.yaml
 id: cve-2025-55182-cve-2025-66478-react-nextjs-rce

 info:
  name: React Server Components and Next.js RSC Flight Protocol - Remote Code Execution
  author: unknown
  severity: critical
  description: |
    Detects CVE-2025-55182 and CVE-2025-66478 vulnerabilities allowing unauthenticated
    Remote Code Execution (RCE) in React Server Components and Next.js through insecure
    deserialization in the RSC Flight protocol.
  tags: react,nextjs,rce,cve,cve2025,deserialization
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2025-55182
    - https://www.cve.org/CVERecord?id=CVE-2025-66478
    - https://nextjs.org/blog/CVE-2025-66478
    - https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
    - https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/
  classification:
    cve-id:
      - CVE-2025-55182
      - CVE-2025-66478
    cwe-id: CWE-502

 variables:
  boundary: "{{rand_text_alphanumeric(16)}}"

 http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{boundary}}
        Next-Action: {{rand_text_alphanumeric(32)}}
        X-Nextjs-Request-Id: {{rand_text_alphanumeric(32)}}
        Next-Router-State-Tree: [[["",{"children":["__PAGE__",{}]},null,null,true]]]

        ------WebKitFormBoundary{{boundary}}
        Content-Disposition: form-data; name="1"

        {}
        ------WebKitFormBoundary{{boundary}}
        Content-Disposition: form-data; name="0"

        ["$1:a:a"]
        ------WebKitFormBoundary{{boundary}}--

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 500

      - type: regex
        part: body
        regex:
          - 'E\{"digest"'
          - 'digest.*Error'
        condition: or

    extractors:
      - type: regex
        name: error-digest
        part: body
        regex:
          - 'E\{"digest":"([a-zA-Z0-9]+)"'
        group: 1
	id: cve-2025-55182-cve-2025-66478-react-nextjs-rce

	info:
	name: React Server Components and Next.js RSC Flight Protocol - Remote Code Execution
	author: unknown
	severity: critical
	description: \|
	Detects CVE-2025-55182 and CVE-2025-66478 vulnerabilities allowing unauthenticated
	Remote Code Execution (RCE) in React Server Components and Next.js through insecure
	deserialization in the RSC Flight protocol.
	tags: react,nextjs,rce,cve,cve2025,deserialization
	reference:
	- https://www.cve.org/CVERecord?id=CVE-2025-55182
	- https://www.cve.org/CVERecord?id=CVE-2025-66478
	- https://nextjs.org/blog/CVE-2025-66478
	- https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
	- https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/
	classification:
	cve-id:
	- CVE-2025-55182
	- CVE-2025-66478
	cwe-id: CWE-502

	variables:
	boundary: "{{rand_text_alphanumeric(16)}}"

	http:
	- raw:
	- \|
	POST / HTTP/1.1
	Host: {{Hostname}}
	Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{boundary}}
	Next-Action: {{rand_text_alphanumeric(32)}}
	X-Nextjs-Request-Id: {{rand_text_alphanumeric(32)}}
	Next-Router-State-Tree: [[["",{"children":["__PAGE__",{}]},null,null,true]]]

	------WebKitFormBoundary{{boundary}}
	Content-Disposition: form-data; name="1"

	{}
	------WebKitFormBoundary{{boundary}}
	Content-Disposition: form-data; name="0"

	["$1:a:a"]
	------WebKitFormBoundary{{boundary}}--

	matchers-condition: and
	matchers:
	- type: status
	status:
	- 500

	- type: regex
	part: body
	regex:
	- 'E\{"digest"'
	- 'digest.*Error'
	condition: or

	extractors:
	- type: regex
	name: error-digest
	part: body
	regex:
	- 'E\{"digest":"([a-zA-Z0-9]+)"'
	group: 1
No results found