## https://sploitus.com/exploit?id=0B85EACE-2BD0-5B78-BED8-7DE51F5805C3
# CVE-2025-55182 (React2Shell) Exploit
## Overview
CVE-2025-55182, also known as "React2Shell," is a critical remote code execution (RCE) vulnerability affecting React Server Components (RSC) and frameworks like Next.js. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending specially crafted HTTP requests.
## Vulnerability Details
- **CVE ID**: CVE-2025-55182
- **CVSS Score**: 10.0 (Critical)
- **Type**: Remote Code Execution (RCE)
- **Root Cause**: Unsafe deserialization of untrusted payloads within the RSC "Flight" protocol
### Affected Versions
**React Server Components:**
- Versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of:
- `react-server-dom-webpack`
- `react-server-dom-parcel`
- `react-server-dom-turbopack`
**Next.js:**
- Versions 15.x, 16.x
- Version 14.3.0-canary.77 and later canary releases
### Patched Versions
**React Server Components:**
- Versions 19.0.1, 19.1.2, and 19.2.1
**Next.js:**
- Versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7
## Exploit Script
The `exploit.py` script tests for CVE-2025-55182 by:
1. **Reconnaissance**: Detecting Next.js framework and identifying RSC endpoints
2. **Payload Generation**: Creating multiple payload variations targeting the deserialization vulnerability
3. **Exploitation Attempts**: Sending crafted RSC Flight protocol payloads to various endpoints
4. **Response Analysis**: Analyzing responses for signs of code execution
### Usage
```bash
python3 exploit.py [command]
```
Example:
```bash
python3 exploit.py https://www.banimode.com "id"
```
### Features
- Multiple payload variations (10 different approaches)
- Tests multiple RSC endpoints
- Information disclosure checks
- Response analysis and saving
- Detailed logging and debugging output
## Testing Results for https://www.banimode.com
### Findings
1. **Framework Detection**: โ Next.js detected
- Found `_next` indicators in response
- RSC headers present: `Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch`
2. **Endpoint Testing**:
- `/__rsc`: 404 (Not found)
- `/_next/static/chunks/__rsc`: 200 (Returns RSC format)
- `/_next/data`: 200 (Returns RSC format)
- `/_next/rsc`: 200 (Returns RSC format)
- `/_next/server`: 200 (Returns RSC format)
3. **Vulnerability Status**:
- The site accepts RSC requests and returns proper RSC Flight protocol responses
- However, the exploit payloads did not trigger code execution
- **Possible reasons**:
- Site may be patched (using patched Next.js version)
- Payload format may need refinement
- Vulnerability may require specific conditions not met
### Response Analysis
The server returns valid RSC Flight protocol responses with format:
```
M1
0:["0wOAEu-W1W9uOw87-tuGB",[...]]
3:I[4707,[],""]
4:["id","_next","d"]
...
```
This indicates the server is processing RSC requests but may be:
- Patched against the vulnerability
- Using a version that's not vulnerable
- Requiring a different payload format
## Payload Variations
The exploit attempts 10 different payload variations:
1. Direct function reference with eval
2. Constructor-based RCE
3. Module require exploit
4. Direct require function call
5. JSON-based function reference
6. Process binding exploit
7. VM module exploit
8. Prototype pollution attempt
9. RSC format matching server responses
10. GlobalThis-based exploit
## Important Notes
โ ๏ธ **Legal and Ethical Considerations:**
- Only test systems you own or have explicit written permission to test
- Unauthorized testing is illegal and unethical
- This exploit is for educational and authorized security testing purposes only
## Mitigation
If a system is found to be vulnerable:
1. **Immediate Action**: Update to patched versions immediately
2. **React**: Update to 19.0.1, 19.1.2, or 19.2.1
3. **Next.js**: Update to patched versions (15.0.5+, 15.1.9+, etc.)
4. **Monitoring**: Check server logs for exploitation attempts
5. **WAF Rules**: Implement WAF rules to detect malicious RSC payloads
## References
- [React Security Advisory](https://react.dev/blog/2025/12/03/security-advisory-cve-2025-55182)
- [Next.js Security Advisory](https://nextjs.org/blog/CVE-2025-66478)
- [Wiz.io Analysis](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)
- [Datadog Security Labs](https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/)
## Files
- `exploit.py`: Main exploit script
- `README.md`: This documentation
- `exploit_responses/`: Directory containing saved responses for analysis
## Disclaimer
This exploit is provided for educational purposes and authorized security testing only. The authors are not responsible for any misuse of this code.