zlacker

[parent] [thread] 10 comments
1. ejpir+(OP)[view] [source] 2025-12-03 21:18:06
I'm fumbled around a bit and got it working, but not entirely sure if this is how it really works: have a look at https://github.com/ejpir/CVE-2025-55182-poc
replies(6): >>croeme+Gm >>WatchD+wy >>slopfi+q11 >>orkj+c31 >>slop-c+rs1 >>lionko+GM1
2. croeme+Gm[view] [source] 2025-12-03 23:21:52
>>ejpir+(OP)
Thanks for the writeup, it's incredible!
replies(1): >>croeme+uz1
3. WatchD+wy[view] [source] 2025-12-04 00:47:34
>>ejpir+(OP)
I ran your exploit-rce-v4.js with and without the patched react-server-dom-webpack, and both of them executed the RCE.

So I don't think this mechanism is exactly correct, can you demo it with an actual nextjs project, instead of your mock server?

replies(2): >>ejpir+bA >>ejpir+jE
◧◩
4. ejpir+bA[view] [source] [discussion] 2025-12-04 01:00:10
>>WatchD+wy
I'm trying that, nextjs is a little different because it uses a Proxy object before it passes through, which blocks the rce.

I'm debugging it currently, maybe I'm not on the right path after all.

◧◩
5. ejpir+jE[view] [source] [discussion] 2025-12-04 01:40:48
>>WatchD+wy
I'v updated the code, try it now with server-realistic.js:

1. npm start 2. npm run exploit

6. slopfi+q11[view] [source] 2025-12-04 05:48:17
>>ejpir+(OP)
Your lump of AI-generated slop has detracted from the response to an important vulnerability. Congratulations. Your PoC is invalid and you should delete it.
replies(1): >>jondwi+M61
7. orkj+c31[view] [source] 2025-12-04 06:09:35
>>ejpir+(OP)
very interesting to read.

However, if I am reading this correctly, your PoC falls in the category described here: https://react2shell.com/

> Anything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC. Common examples we've seen in supposed "PoCs" are vm#runInThisContext, child_process#exec, and fs#writeFile.

> This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what. The genuine vulnerability does not have this constraint. In Next.js, the list of server functions is managed for you, and does not contain these.

Context: This is from Lachlan Davidson, the reporter of the vulnerability

◧◩
8. jondwi+M61[view] [source] [discussion] 2025-12-04 06:49:10
>>slopfi+q11
HMU, proud owner of slopcop.ai and have been itching to put it to good use.
9. slop-c+rs1[view] [source] 2025-12-04 10:13:18
>>ejpir+(OP)
The guy who discovered the actual vulnerability says otherwise.

Delete this distraction to genuine blue teamers and stop shitting up the information landscape with this utter hogwash.

This is why infosec is dead.

https://react2shell.com/

https://github.com/ejpir/CVE-2025-55182-poc/issues/1#issueco...

◧◩
10. croeme+uz1[view] [source] [discussion] 2025-12-04 11:20:58
>>croeme+Gm
The PoC is AI generated crap - sorry for the initial comment lauding it. I should have checked better. See: https://github.com/ejpir/CVE-2025-55182-poc/issues/1 and https://react2shell.com/
11. lionko+GM1[view] [source] 2025-12-04 12:55:56
>>ejpir+(OP)
FYI as of just now, the author has (correctly) added a disclaimer that this poc doesnt quite work.
[go to top]