Denial of Service in React Server Components deserialization

This repository is a real exploit project centered on exploit/react2shell.py, a standalone Python exploit for CVE-2025-55182 affecting React Server Components in vulnerable React/Next.js deployments. The repository also includes extensive markdown analysis, a deliberately vulnerable Next.js lab application, an auxiliary curl-based exploit script, and a restoration script for resetting the lab after destructive testing. The main exploit is not merely a detector: it builds a malicious multipart/form-data request that targets Next.js Server Action / React Flight deserialization. The payload abuses prototype pollution ("$1:__proto__:then") and constructor traversal ("$1:constructor:constructor") to reach the JavaScript Function constructor, then executes attacker-controlled JavaScript in the Node.js process. That JavaScript invokes child_process.execSync() to run arbitrary shell commands. Command output is exfiltrated by throwing a NEXT_REDIRECT error whose digest is converted by Next.js into the X-Action-Redirect response header, typically embedding output in a /login?a=... redirect value. Capabilities described and partially visible in the code/docs include: vulnerability checking with a benign echo command, arbitrary command execution, interactive shell mode, environment-variable theft using a temp file and line-by-line reads to bypass header-size limits, website defacement, deletion of project/dashboard content, and server shutdown/DoS actions. This makes the exploit operational rather than a simple PoC. Repository structure: - exploit/react2shell.py: primary exploit implementation in Python using requests and argparse. - exploit/exploit-explanation.md: usage and architecture documentation. - docs/analysis/*.md: root-cause analysis, payload anatomy, and disclosure timeline. - vulnerable-app/: intentionally vulnerable Next.js 15.0.0 + React 19.0.0 demo target. - vulnerable-app/curl_id.sh: bash/curl variant of the exploit. - vulnerable-app/scripts/restore.sh: lab restoration helper. Fingerprintable observables include the target root path /, local demo URL http://localhost:3000, required headers Next-Action / X-Nextjs-Request-Id / X-Nextjs-Html-Request-Id, response header X-Action-Redirect, exfiltration redirect path /login?a=${res}, and temp file /tmp/stolen_env.txt. The vulnerable app itself exposes a server action in vulnerable-app/app/actions.ts and a client page in app/page.tsx, but the vulnerability is in the underlying React/Next.js deserialization path rather than in custom application logic.

This repository is a Next.js 15.0.0 research/PoC web application ("NextCorp") that demonstrates three security scenarios attributed to Next.js/React Server Components/Flight protocol handling. It is not a standalone exploit tool; instead it is a vulnerable target + demonstration harness implemented as a web app. Key exploit capabilities implemented in code: - RCE demo (claimed CVE-2025-55182): app/vulnerabilities/rce/submit/route.ts parses JSON and, if it detects '__proto__', 'child_process', or a 'rce_cmd' field, executes an OS command via Node's child_process.exec and returns stdout/stderr in the HTTP response. The client page app/vulnerabilities/rce/page.tsx sends a baseline POST to /vulnerabilities/rce/submit intended for interception and modification (e.g., adding rce_cmd). - Information disclosure demo (claimed CVE-2025-55183): app/actions.ts defines a server action importantBusinessLogic that checks for the marker string "${jndi:source_leak}" in form input and then performs an actual local file read (fs.readFileSync) of app/actions.ts (path built from process.cwd()). The content is returned to the user, simulating a server action source leak. - DoS demo (claimed CVE-2025-55184): app/vulnerabilities/dos/submit/route.ts checks incoming JSON for the substring '$L1' and then runs a busy-wait loop to simulate CPU exhaustion/hang, with a 10-second failsafe to avoid permanent lockup. Repository structure/purpose: - UI pages under app/ provide a SaaS-like front-end with navigation (app/page.tsx, app/components/Header.tsx) and three vulnerability modules under app/vulnerabilities/{rce,info-disclosure,dos}/page.tsx. - Two App Router route handlers implement the server-side vulnerable behaviors: app/vulnerabilities/rce/submit/route.ts and app/vulnerabilities/dos/submit/route.ts. - A server action in app/actions.ts implements the source-leak behavior and contains hardcoded "secret" strings to illustrate sensitive data exposure. - Documentation (README.md, TESTING.md) explains reproduction steps and provides example payloads and curl commands. Overall, the code provides operational, locally testable exploit effects (real command execution, real file read, and real CPU busy-loop) triggered via HTTP requests to specific Next.js endpoints.

This repository is a research-oriented Proof of Concept (PoC) environment demonstrating three critical vulnerabilities in Next.js 15.0.0 (with React 19.0.0 Server Components): Remote Code Execution (CVE-2025-55182), Information Disclosure (CVE-2025-55183), and Denial of Service (CVE-2025-55184). The structure is a simulated SaaS application ('NextCorp') with dedicated pages and endpoints for each vulnerability under /app/vulnerabilities/. - The RCE exploit is triggered by sending a specially crafted JSON payload (containing a __proto__ object with a script) to /vulnerabilities/rce/submit, simulating arbitrary command execution on the server. - The Info Disclosure exploit targets /vulnerabilities/info-disclosure, where manipulating the Next-Action header or request body can cause the server to leak sensitive server-side source code (such as the importantBusinessLogic function containing secrets). - The DoS exploit is demonstrated by sending a recursive/circular JSON payload to /vulnerabilities/dos/submit, causing the server to enter a busy loop and hang (with a failsafe in PoC). The repository is implemented in TypeScript using Next.js and React, with clear separation of vulnerable endpoints and demonstration logic. The PoC is not weaponized but provides a realistic simulation of exploitation scenarios for research and educational purposes.

This repository is a professional-grade exploitation framework for CVE-2025-55184, a high-severity denial of service (DoS) vulnerability in React Server Components (RSC) implementations. The exploit targets web applications using Next.js (13.x-14.1.0), Waku (<0.19.2), Remix (<2.5.1), or any RSC-enabled React app (React 18.0.0-18.2.0). The vulnerability allows unauthenticated remote attackers to send specially crafted HTTP POST requests with circular reference payloads to the server, causing it to hang or exhaust resources, resulting in a complete DoS. The repository contains the following key files: - 'cve_2025_55184_exploit.py': The main exploitation framework, supporting multiple attack modes (detect, scan, single, multi, aggressive, WAF bypass, report) and advanced features such as WAF detection/bypass, payload encoding, and professional reporting. - 'exploit.py': A simplified launcher providing an interactive menu for easy attack execution, including a sustained attack mode that keeps the target down until stopped. - 'cve-2025-55184.yaml.txt': A Nuclei-compatible template for automated vulnerability scanning. - 'run.sh': A Bash script to set up the environment and launch the tool. - 'requirements (2).txt': Python dependencies. - 'README (5).md': Comprehensive documentation, usage instructions, and vulnerability details. The exploit is operational and includes both detection and attack capabilities, with support for WAF bypass and multiple payload variants. The main attack vector is network-based, targeting HTTP endpoints (typically '/'). No hardcoded IPs or domains are present; the user supplies the target URL. The tool is suitable for authorized penetration testing, bug bounty research, and professional security assessments.

This repository is a professional-grade exploitation framework for CVE-2025-55184, a high-severity Denial of Service (DoS) vulnerability in React Server Components (RSC) implementations. The exploit targets unauthenticated network-accessible endpoints in frameworks such as Next.js, Waku, Remix, and any RSC-enabled React app, causing complete service disruption via circular reference deserialization payloads (e.g., "$@0"). The repository is well-structured, with clear separation of code (Python modules for exploitation logic, WAF bypass, UI, and utilities), configuration (JSON files for payloads and settings), documentation (usage guides, bug bounty templates), and automation scripts (run.sh for easy launching). The main entry points are 'exploit.py' (simple interactive launcher), 'cve_2025_55184_exploit.py' (advanced CLI), and 'run.sh' (quick launcher). The tool supports multiple attack modes: passive detection, active scan, single-shot DoS, multi-threaded and aggressive sustained attacks, WAF bypass, and automated report generation. It features advanced WAF evasion (header obfuscation, encoding variations, user-agent rotation, request smuggling), a modern terminal UI, and built-in ethical controls (authorization prompts, scope validation). Payloads are delivered via HTTP POST requests to framework-specific endpoints, using various encodings to maximize success and evade defenses. The tool is operational and suitable for real-world bug bounty and penetration testing, provided the user has explicit authorization. No hardcoded IPs or domains are present; the tool is designed for user-supplied targets. The included YAML file provides a Nuclei template for automated detection. Overall, this is a mature, feature-rich DoS exploitation toolkit for CVE-2025-55184.

This repository is a Chrome extension named 'React2P4IM0Nshell' designed for advanced security auditing and exploitation of Next.js and React Server Components (RSC) environments. The extension provides a browser-based interface to scan, fingerprint, and exploit three specific vulnerabilities (CVE-2025-55182: RCE, CVE-2025-55183: Source Leak, CVE-2025-55184: DoS). The main exploit logic resides in 'content.js', which injects scripts into web pages to perform passive and active reconnaissance, and to execute exploit payloads via crafted HTTP requests. The RCE module sends a multipart/form-data POST request to a derived endpoint (e.g., '/adfa') with a JSON payload that triggers backend command execution. The source leak module fetches Next.js chunk files to extract sensitive Action IDs and potentially leak server-side code. The DoS module abuses promise references to cause infinite loops on the server. The extension also includes a UI (popup.html, popup.js) for user interaction, payload generation (reverse shells for Linux/Windows), and an embedded Alpine Linux terminal via an iframe. The extension is intended for ethical research and lab use, as emphasized in the README. No hardcoded external IPs or domains are present, but the extension targets endpoints on the currently loaded web page, making it adaptable to any site the user visits. The codebase is primarily JavaScript, with supporting HTML, CSS, and JSON files.

This repository is a comprehensive security lab for demonstrating and testing two critical vulnerabilities in React Server Components: CVE-2025-55183 (Source Code Exposure) and CVE-2025-55184 (Denial of Service). The structure includes: - A deliberately vulnerable Next.js application (vulnerable-app/) running React 19.0.0 and Next.js 15.0.2, with server actions containing hardcoded secrets and business logic in 'app/actions.js'. - Two operational Python exploit scripts: 'exploits/exploit-55183.py' (extracts server-side source code and secrets via a crafted POST request) and 'exploits/exploit-55184.py' (sends a payload to hang the server, causing a DoS). - A scanner tool (scanner/scan.py) for automated detection of both CVEs. - Extensive documentation (DOCUMENTATION.md, README.md) detailing the vulnerabilities, exploitation techniques, detection, and remediation. The main exploit capabilities are: - For CVE-2025-55183: Unauthenticated attackers can extract server-side source code, including secrets, by sending a crafted HTTP POST request to the vulnerable endpoint. The exploit script automates this process and saves the leaked code to a file. - For CVE-2025-55184: Attackers can send a specially crafted payload to cause infinite promise recursion, hanging the Node.js server and requiring a manual restart. The repository is intended for educational and research purposes, providing both the vulnerable application and the tools to exploit and detect these vulnerabilities. The attack vector is network-based, requiring only HTTP access to the target. The endpoints targeted are typically the root or main HTTP endpoint of the vulnerable application (e.g., http://localhost:3000).

This repository provides a proof-of-concept (POC) exploit for two Next.js vulnerabilities: CVE-2025-55182 (Remote Code Execution) and CVE-2025-55184 (Denial of Service). The main exploit logic is implemented in 'main.py', which crafts and sends specially formatted multipart/form-data POST requests to a target Next.js server (defaulting to http://localhost:3000). The exploit leverages JavaScript code injection via form fields to execute arbitrary system commands on the server, demonstrated by the payload 'process.mainModule.require('child_process').execSync('id').toString()'. The script also includes a function to send a DoS payload. The included 'next-app' directory is a standard Next.js application (version 15.5.4) with supporting files for local testing and demonstration. The exploit is not part of a framework and is a standalone POC. The primary attack vector is network-based, targeting HTTP endpoints that process form data with the 'Next-Action' header. No hardcoded external IPs or domains are present; the default target is localhost. The repository is structured for both exploit demonstration and local vulnerable app deployment.

This repository is a Go-based proof-of-concept exploit targeting CVE-2025-55184. The main exploit logic is implemented in 'exploit.go', which reads a list of target URLs from 'domains.txt' and sends a user-specified number of concurrent HTTP POST requests to each target. Each request uses a multipart/form-data body with a form file named '0' containing the string '"$@0"', and includes a custom header 'Next-Action: x'. The exploit is designed to stress or crash the target service, likely exploiting a vulnerability in how the target handles such requests, resulting in a denial of service (DoS) condition. The repository includes a Makefile for building and running the exploit, and a Go module definition. No hardcoded network endpoints are present; all targets are supplied by the user via 'domains.txt'. The exploit is not weaponized but serves as a functional proof-of-concept for the referenced CVE.

This repository provides proof-of-concept (PoC) exploit scripts for CVE-2025-55184, targeting web services running on localhost. There are two Python scripts: 'poc-nextjs.py' targets a service on port 3000 (likely a Next.js application), and 'poc-waku.py' targets a service on port 8080 at the path '/RSC/x.txt' (possibly a Waku service). Both scripts attempt to trigger a Denial of Service (DoS) by sending a POST request with a file upload containing a suspicious payload. The scripts print a message indicating whether the target appears vulnerable. No detection-only scripts or fake exploits are present. The repository is a simple PoC with no advanced payloads or framework integration.