zlacker

[return to "RCE Vulnerability in React and Next.js"]
1. ejpir+u61[view] [source] 2025-12-03 21:18:06
>>rayhaa+(OP)
I'm fumbled around a bit and got it working, but not entirely sure if this is how it really works: have a look at https://github.com/ejpir/CVE-2025-55182-poc
◧◩
2. WatchD+0F1[view] [source] 2025-12-04 00:47:34
>>ejpir+u61
I ran your exploit-rce-v4.js with and without the patched react-server-dom-webpack, and both of them executed the RCE.

So I don't think this mechanism is exactly correct, can you demo it with an actual nextjs project, instead of your mock server?

◧◩◪
3. ejpir+NK1[view] [source] 2025-12-04 01:40:48
>>WatchD+0F1
I'v updated the code, try it now with server-realistic.js:

1. npm start 2. npm run exploit

[go to top]