Source Code Exposure in React Server Components Server Functions

This repository is a real exploit project centered on exploit/react2shell.py, a standalone Python exploit for CVE-2025-55182 affecting React Server Components in vulnerable React/Next.js deployments. The repository also includes extensive markdown analysis, a deliberately vulnerable Next.js lab application, an auxiliary curl-based exploit script, and a restoration script for resetting the lab after destructive testing. The main exploit is not merely a detector: it builds a malicious multipart/form-data request that targets Next.js Server Action / React Flight deserialization. The payload abuses prototype pollution ("$1:__proto__:then") and constructor traversal ("$1:constructor:constructor") to reach the JavaScript Function constructor, then executes attacker-controlled JavaScript in the Node.js process. That JavaScript invokes child_process.execSync() to run arbitrary shell commands. Command output is exfiltrated by throwing a NEXT_REDIRECT error whose digest is converted by Next.js into the X-Action-Redirect response header, typically embedding output in a /login?a=... redirect value. Capabilities described and partially visible in the code/docs include: vulnerability checking with a benign echo command, arbitrary command execution, interactive shell mode, environment-variable theft using a temp file and line-by-line reads to bypass header-size limits, website defacement, deletion of project/dashboard content, and server shutdown/DoS actions. This makes the exploit operational rather than a simple PoC. Repository structure: - exploit/react2shell.py: primary exploit implementation in Python using requests and argparse. - exploit/exploit-explanation.md: usage and architecture documentation. - docs/analysis/*.md: root-cause analysis, payload anatomy, and disclosure timeline. - vulnerable-app/: intentionally vulnerable Next.js 15.0.0 + React 19.0.0 demo target. - vulnerable-app/curl_id.sh: bash/curl variant of the exploit. - vulnerable-app/scripts/restore.sh: lab restoration helper. Fingerprintable observables include the target root path /, local demo URL http://localhost:3000, required headers Next-Action / X-Nextjs-Request-Id / X-Nextjs-Html-Request-Id, response header X-Action-Redirect, exfiltration redirect path /login?a=${res}, and temp file /tmp/stolen_env.txt. The vulnerable app itself exposes a server action in vulnerable-app/app/actions.ts and a client page in app/page.tsx, but the vulnerability is in the underlying React/Next.js deserialization path rather than in custom application logic.

This repository is a Next.js 15.0.0 research/PoC web application ("NextCorp") that demonstrates three security scenarios attributed to Next.js/React Server Components/Flight protocol handling. It is not a standalone exploit tool; instead it is a vulnerable target + demonstration harness implemented as a web app. Key exploit capabilities implemented in code: - RCE demo (claimed CVE-2025-55182): app/vulnerabilities/rce/submit/route.ts parses JSON and, if it detects '__proto__', 'child_process', or a 'rce_cmd' field, executes an OS command via Node's child_process.exec and returns stdout/stderr in the HTTP response. The client page app/vulnerabilities/rce/page.tsx sends a baseline POST to /vulnerabilities/rce/submit intended for interception and modification (e.g., adding rce_cmd). - Information disclosure demo (claimed CVE-2025-55183): app/actions.ts defines a server action importantBusinessLogic that checks for the marker string "${jndi:source_leak}" in form input and then performs an actual local file read (fs.readFileSync) of app/actions.ts (path built from process.cwd()). The content is returned to the user, simulating a server action source leak. - DoS demo (claimed CVE-2025-55184): app/vulnerabilities/dos/submit/route.ts checks incoming JSON for the substring '$L1' and then runs a busy-wait loop to simulate CPU exhaustion/hang, with a 10-second failsafe to avoid permanent lockup. Repository structure/purpose: - UI pages under app/ provide a SaaS-like front-end with navigation (app/page.tsx, app/components/Header.tsx) and three vulnerability modules under app/vulnerabilities/{rce,info-disclosure,dos}/page.tsx. - Two App Router route handlers implement the server-side vulnerable behaviors: app/vulnerabilities/rce/submit/route.ts and app/vulnerabilities/dos/submit/route.ts. - A server action in app/actions.ts implements the source-leak behavior and contains hardcoded "secret" strings to illustrate sensitive data exposure. - Documentation (README.md, TESTING.md) explains reproduction steps and provides example payloads and curl commands. Overall, the code provides operational, locally testable exploit effects (real command execution, real file read, and real CPU busy-loop) triggered via HTTP requests to specific Next.js endpoints.

This repository is a research-oriented Proof of Concept (PoC) environment demonstrating three critical vulnerabilities in Next.js 15.0.0 (with React 19.0.0 Server Components): Remote Code Execution (CVE-2025-55182), Information Disclosure (CVE-2025-55183), and Denial of Service (CVE-2025-55184). The structure is a simulated SaaS application ('NextCorp') with dedicated pages and endpoints for each vulnerability under /app/vulnerabilities/. - The RCE exploit is triggered by sending a specially crafted JSON payload (containing a __proto__ object with a script) to /vulnerabilities/rce/submit, simulating arbitrary command execution on the server. - The Info Disclosure exploit targets /vulnerabilities/info-disclosure, where manipulating the Next-Action header or request body can cause the server to leak sensitive server-side source code (such as the importantBusinessLogic function containing secrets). - The DoS exploit is demonstrated by sending a recursive/circular JSON payload to /vulnerabilities/dos/submit, causing the server to enter a busy loop and hang (with a failsafe in PoC). The repository is implemented in TypeScript using Next.js and React, with clear separation of vulnerable endpoints and demonstration logic. The PoC is not weaponized but provides a realistic simulation of exploitation scenarios for research and educational purposes.

This repository is a Chrome extension named 'React2P4IM0Nshell' designed for advanced security auditing and exploitation of Next.js and React Server Components (RSC) environments. The extension provides a browser-based interface to scan, fingerprint, and exploit three specific vulnerabilities (CVE-2025-55182: RCE, CVE-2025-55183: Source Leak, CVE-2025-55184: DoS). The main exploit logic resides in 'content.js', which injects scripts into web pages to perform passive and active reconnaissance, and to execute exploit payloads via crafted HTTP requests. The RCE module sends a multipart/form-data POST request to a derived endpoint (e.g., '/adfa') with a JSON payload that triggers backend command execution. The source leak module fetches Next.js chunk files to extract sensitive Action IDs and potentially leak server-side code. The DoS module abuses promise references to cause infinite loops on the server. The extension also includes a UI (popup.html, popup.js) for user interaction, payload generation (reverse shells for Linux/Windows), and an embedded Alpine Linux terminal via an iframe. The extension is intended for ethical research and lab use, as emphasized in the README. No hardcoded external IPs or domains are present, but the extension targets endpoints on the currently loaded web page, making it adaptable to any site the user visits. The codebase is primarily JavaScript, with supporting HTML, CSS, and JSON files.

This repository is a comprehensive security lab for demonstrating and testing two critical vulnerabilities in React Server Components: CVE-2025-55183 (Source Code Exposure) and CVE-2025-55184 (Denial of Service). The structure includes: - A deliberately vulnerable Next.js application (vulnerable-app/) running React 19.0.0 and Next.js 15.0.2, with server actions containing hardcoded secrets and business logic in 'app/actions.js'. - Two operational Python exploit scripts: 'exploits/exploit-55183.py' (extracts server-side source code and secrets via a crafted POST request) and 'exploits/exploit-55184.py' (sends a payload to hang the server, causing a DoS). - A scanner tool (scanner/scan.py) for automated detection of both CVEs. - Extensive documentation (DOCUMENTATION.md, README.md) detailing the vulnerabilities, exploitation techniques, detection, and remediation. The main exploit capabilities are: - For CVE-2025-55183: Unauthenticated attackers can extract server-side source code, including secrets, by sending a crafted HTTP POST request to the vulnerable endpoint. The exploit script automates this process and saves the leaked code to a file. - For CVE-2025-55184: Attackers can send a specially crafted payload to cause infinite promise recursion, hanging the Node.js server and requiring a manual restart. The repository is intended for educational and research purposes, providing both the vulnerable application and the tools to exploit and detect these vulnerabilities. The attack vector is network-based, requiring only HTTP access to the target. The endpoints targeted are typically the root or main HTTP endpoint of the vulnerable application (e.g., http://localhost:3000).

This repository contains a Python exploit (exp.py) and a README for CVE-2025-55183, a source code disclosure vulnerability in Next.js React Server Components (RSC). The exploit works in three main steps: (1) it discovers JavaScript chunk files from a given Next.js page, (2) extracts server action IDs from those chunks, and (3) sends crafted HTTP POST requests with a special payload to the server, attempting to trigger the vulnerability and leak the source code of server functions. The exploit is operational and can save or print the leaked source code. The only code file is exp.py, which is a standalone script using the requests library. The attack vector is network-based, requiring HTTP(S) access to the target. The script supports optional proxying and output to a file. No hardcoded credentials or static IPs are present, but the script interacts with endpoints such as /_next/static/chunks/ and the root path with a custom header. The README provides usage instructions and context. The exploit is not a detection script; it actively attempts to extract source code from vulnerable targets.

This repository provides a scanner tool (written in Rust) and a deliberately vulnerable React application for testing CVE-2025-55183, a critical source code disclosure vulnerability in React 19.0.0-19.2.1 Server Actions. The scanner (scanner/src/main.rs) automates the exploitation process by: 1. Fetching the target web page and extracting Server Action IDs. 2. Sending crafted POST requests with a special payload and header to trigger the vulnerability. 3. Receiving and analyzing responses for exposed source code and secrets. 4. Highlighting and saving any detected secrets (API keys, database URLs, credentials, etc.). The vulnerable-app directory contains a Next.js application with multiple server actions, each hardcoding various secrets, API keys, and credentials for demonstration purposes. These include Stripe, AWS, SendGrid, Twilio, Firebase, Google, GitHub, DataDog, Sentry, Slack, Discord, and multiple database and message queue connection strings. The scanner is operational and can be used to test real-world targets for this vulnerability. It is not a detection script but a full exploit that can extract sensitive information if the target is vulnerable. The attack vector is network-based, targeting web applications running the affected React versions. Numerous fingerprintable endpoints and secrets are present in the demo app, making it suitable for both research and red team exercises.