CVE-2025-5182

MEDIUM

Summer Pearl Group Vacation Rental Management Platform < 1.0.2 - Authorization Bypass in Listing Handler

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-5182. PoCs published by vulnvault.

AI-analyzed exploit summary This is a detailed technical walkthrough of CVE-2025-55182, a deserialization vulnerability in React Server Components (RSC) leading to RCE, followed by a privilege escalation via log poisoning. It includes exploit logic, payload templates, and step-by-step instructions.

Description

A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.

Exploits (1)

nomisec WRITEUP

by vulnvault · poc

https://github.com/vulnvault/react2shell

View Code ZIP pw:eip

This is a detailed technical walkthrough of CVE-2025-55182, a deserialization vulnerability in React Server Components (RSC) leading to RCE, followed by a privilege escalation via log poisoning. It includes exploit logic, payload templates, and step-by-step instructions.

Classification

Writeup 95%

Attack Type

Rce | Deserialization

Complexity

Complex

Reliability

Reliable

Target: Next.js (React Server Components)

No auth needed

Prerequisites: Access to the target web application · Ability to intercept/modify HTTP requests (e.g., Burp Suite)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry

https://vuldb.com/?id.310270

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.310270

Not Applicable related

https://github.com/Stolichnayer/Summer-Pearl-Group-IDOR-XSS

View Writeup ZIP pw:eip

Release Notes patch

https://summerpearlgroup.gr/spgpm/releases

Exploit media-coverage

https://www.youtube.com/watch?v=0wwuatTa6sU

Scores

CVSS v3 4.3

EPSS 0.0035

EPSS Percentile 26.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-639 CWE-285

Status published

Products (1)

summerpearlgroup/vacation_rental_management_platform < 1.0.2

Published May 26, 2025

Tracked Since Feb 18, 2026