Jeanback1/react-rsc-cve-2025-55182-lab

GitHub: Jeanback1/react-rsc-cve-2025-55182-lab

Stars: 0 | Forks: 0

# CVE-2025-55182 Lab — React Server Components RCE [![Docker](https://img.shields.io/badge/docker-compose-blue)](docker-compose.yml) [![License](https://img.shields.io/badge/license-MIT-green)](LICENSE) [![CVE](https://img.shields.io/badge/CVE-2025--55182-red)](https://react.dev/blog/2025/12/03/react-server-components-security-update) Educational lab demonstrating **CVE-2025-55182** — a critical (CVSS 10.0) Remote Code Execution vulnerability in React Server Components caused by prototype pollution in the Flight protocol deserializer. ## Quick Start # 1. Clone git clone https://github.com/Jeanback1/react-rsc-cve-2025-55182-lab.git cd react-rsc-cve-2025-55182-lab # 2. Start the lab (vulnerable + patched instances) docker compose up -d # Wait ~2 minutes for both containers to build and start. # 3. Exploit the vulnerable instance python exploit/exploit.py http://localhost:3011 id # 4. Try the same against the patched instance — it fails python exploit/exploit.py http://localhost:3012 id ## Lab Architecture docker compose ┌────────────────────────────────┐ │ │ attacker ────▶│ :3011 → rsc-lab-vulnerable │ React 19.2.0 │ (Server Action) │ ← exploitable │ │ │ :3012 → rsc-lab-patched │ React 19.2.1 │ (no Server Action) │ ← patched └────────────────────────────────┘ | Container | Port | React Version | Server Action | Vulnerable? | |-----------|------|---------------|---------------|-------------| | `rsc-lab-vulnerable` | 3011 | 19.2.0 | Yes | **Yes** | | `rsc-lab-patched` | 3012 | 19.2.1 | No | No | ## Requirements - **Docker** + Docker Compose v2 - **Python 3.8+** with `requests` (`pip install requests`) ## Files ├── docker-compose.yml # Lab orchestration ├── README.md # This file ├── LICENSE │ ├── vulnerable/ # Vulnerable Next.js app │ ├── Dockerfile │ ├── package.json # react@19.2.0, next@15.4.0 │ └── app/ │ ├── layout.tsx │ ├── page.tsx # Server Component + Server Action │ └── actions.ts # 'use server' — the attack surface │ ├── patched/ # Patched Next.js app │ ├── Dockerfile │ ├── package.json # react@19.2.1, next@15.4.8 │ └── app/ │ ├── layout.tsx │ └── page.tsx # Server Component only (no Server Actions) │ ├── exploit/ │ ├── exploit.py # Educational RCE exploit (well-commented) │ ├── requirements.txt │ └── pyproject.toml │ └── docs/ └── CVE-2025-55182.md # Full technical analysis ## Exploit Usage # Single command execution python exploit/exploit.py # Examples python exploit/exploit.py http://localhost:3011 id python exploit/exploit.py http://localhost:3011 "cat /etc/passwd" python exploit/exploit.py http://localhost:3011 "ls -la /app" The exploit works in three stages: 1. **Build** a Flight payload with `__proto__` traversal → pollute `Object.prototype.then` 2. **Send** the payload as `multipart/form-data` via the Server Action endpoint 3. **Extract** command output from the `X-Action-Redirect` response header (base64-encoded) ## Affected Versions | Package | Vulnerable | Patched | |---------|-----------|---------| | `react` | ≤ 19.2.0 | ≥ 19.2.1 | | `react-dom` | ≤ 19.2.0 | ≥ 19.2.1 | | `react-server-dom-webpack` | ≤ 19.2.0 | ≥ 19.2.1 | ## Technical Deep Dive See [`docs/CVE-2025-55182.md`](docs/CVE-2025-55182.md) for a full walkthrough: - How the Flight protocol works - Why `__proto__` traversal is dangerous - Step-by-step exploit chain - Detection and mitigation strategies ## References - [React Security Advisory — December 2025](https://react.dev/blog/2025/12/03/react-server-components-security-update) - [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html) - [Next.js Server Actions](https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations)