# RSC - CVE-2025-55182

CVE‑2025‑55182 ("React2Shell") is a critical <mark style="color:red;">**remote code execution**</mark> vulnerability affecting React Server Components (RSC), specifically versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of client-supplied payloads, which can allow an attacker to execute arbitrary code on the server without authentication. Even applications with minimal RSC usage may be exposed if server functions are exposed.

Exploitation can lead to full server compromise, including complete loss of confidentiality, integrity, and availability.

**CVSS 3.1 Score:** <mark style="color:red;">**10.0**</mark>\
**Vector:** `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`

The flaw is not limited to the core React Server Components packages (`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`) but also affects frameworks and libraries that bundle RSC functionality. Notably, Next.js App Router versions >=14.3.0-canary.77, >=15, and >=16 are impacted. This Next.js-specific issue has been assigned CVE-2025-66478 (CVSS score: 10.0), with patched releases now available. Other affected ecosystems include Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku. This highlights the broad potential impact for any application using bundled server components.

### Root cause

In `requireModule()`, exports are accessed via bracket notation without `hasOwnProperty` check:

```diff
@@ -78,7 +80,10 @@ export function preloadModule<T>(
 
 export function requireModule<T>(metadata: ClientReference<T>): T {
   const moduleExports = parcelRequire(metadata[ID]);
-  return moduleExports[metadata[NAME]];
+  if (hasOwnProperty.call(moduleExports, metadata[NAME])) {
+    return moduleExports[metadata[NAME]];
+  }
+  return (undefined: any);
 }
```

[Source code here](https://github.com/facebook/react/pull/35277/commits/e2fd5dc6ad973dd3f220056404d0ae0a8707998d#diff-96c734fde34b293e002f21d37d8e3cdbabf57f11f08804eb9957291079af0256).&#x20;

***

## POC || GTFO

To test this vulnerability I've created a dev environment using Docker. All files are available on my [Github](https://github.com/0xPThree/cve-2025-55182/).

```bash
kiot :: ~/react2shell » docker compose build
kiot :: ~/react2shell » docker compose up -d
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/react/rsc-cve-2025-55182.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.