{"uuid": "98411df9-5ff9-4e2b-a020-d9844c0d563d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-55182", "type": "seen", "source": "https://gist.github.com/CN-LUOJC/2394d495713e55d1e779b76d88290c63", "content": "# POC for CVE-2025-55182 that works on Next.js 16.0.6\n\n## Core idea\n\nUse the [`$@`](https://github.com/facebook/react/blob/7aa5dda3b3e4c2baa905a59b922ae7ec14734b24/packages/react-server/src/ReactFlightReplyServer.js#L921) deserialization to get a `Chunk` reference, and put [`Chunk.prototype.then`](https://github.com/facebook/react/blob/7aa5dda3b3e4c2baa905a59b922ae7ec14734b24/packages/react-server/src/ReactFlightReplyServer.js#L131) as the `then` property of the root object. Then `then` would be invoked with root object as `this`/`chunk` when it is awaited/resolved.\n\nBy setting the `status` to `RESOLVED_MODEL`, now we can call [`initializeModelChunk`](https://github.com/facebook/react/blob/7aa5dda3b3e4c2baa905a59b922ae7ec14734b24/packages/react-server/src/ReactFlightReplyServer.js#L444) with a fake chunk that is comlpetely in our control. This is particularly useful since itself and its related functions call many methods from the `chunk._response` object.\n\n## Exploit\n\nThe target is to trigger the [Blob deserialization](https://github.com/facebook/react/blob/7aa5dda3b3e4c2baa905a59b922ae7ec14734b24/packages/react-server/src/ReactFlightReplyServer.js#L1057-L1066), which calls `response._formData.get` with payload from `response._prefix` and return the result directly. So all we need is to set `response._formData.get` to `Function` so the returned result would be a function with attacker controlled code, then put that to `then` again so it would be executed.\n", "creation_timestamp": "2026-06-29T07:35:38.394437Z"}