Share
## https://sploitus.com/exploit?id=37FAA55E-B00D-55EC-8CDB-C813E615F63E
# React2Shell

![Language](https://img.shields.io/badge/Language-JavaScript-yellow?style=flat-square)
![CVE](https://img.shields.io/badge/2025--55182%20CRITICAL-red?style=flat-square&label=CVE)
![CVSS](https://img.shields.io/badge/CVSS_Score-10.0-black?style=flat-square)
![Target](https://img.shields.io/badge/Target-React_Server_Components-blue?style=flat-square)
![License](https://img.shields.io/badge/License-MIT-green?style=flat-square)

**React2Shell** is a proof-of-concept (`PoC`) exploit demonstrating a `CRITICAL` remote code execution (`RCE`) vulnerability in modern web frameworks using **React Server Components** (`RSC`).

This PoC targets **`CVE-2025-55182`**, a `CVSS 10.0` vulnerability that allows **unauthenticated remote attackers** to execute arbitrary system commands via insecure deserialization inside the React Server Components implementation.

---

## ๐Ÿ” Vulnerability Overview

**React2Shell** exploits a flaw in how React Server Components process untrusted input during the **rehydration** phase.

| Metric               | Details                                                                 |
| :------------------- | :---------------------------------------------------------------------- |
| **Severity**         | `CRITICAL (10.0 / 10.0)`                                                |
| **Vector**           | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`                         |
| **Attack Vector**    | `Network (Remote)`                                                      |
| **User Interaction** | `None`                                                                  |

The vulnerability originates in the underlying `react-server-dom-*` packages responsible for serializing and deserializing component trees.

---

## ๐Ÿ’ฅ Impact

Applications using affected versions of React Server Components may process malicious payloads in a way that leads to **remote code execution (`RCE`)** under the privileges of the server process.

An attacker can:

- Execute arbitrary system commands.
- Pivot into internal infrastructure.
- Exfiltrate sensitive data.
- Disrupt service availability.

If your deployment matches any of the vulnerable versions below and exposes RSC endpoints, you are **`vulnerable`**.

---

## ๐Ÿ“ฆ Affected Components

The vulnerability is present in versions `19.0.0`, `19.1.0`, `19.1.1`, and `19.2.0` of:

- `react-server-dom-parcel`
- `react-server-dom-webpack`
- `react-server-dom-turbopack`

---

## ๐ŸŽฏ Affected Frameworks & Versions

These packages are bundled into multiple frameworks, including but not limited to:

- **Next.js**
  - Versions `15.0.0` through `16.0.6`
  - Canary versions after `14.3.0-canary.76`
- **Other frameworks** using `RSC` (`v19.0.0โ€“19.2.0`), such as:
  - `Vite`
  - `Parcel`
  - `React Router`
  - `RedwoodSDK`
  - `Waku`

Any framework embedding the vulnerable React Server Components implementation is potentially affected.

---

## ๐Ÿ›  Features & Capabilities

React2Shell includes a modular payload generator designed to bypass common Node.js restrictions and WAF rules:

- **Standard Injection**
  - Uses `process.mainModule.require`  
  - Targets default `Next.js` / Webpack bundles.

- **Async Bypass**
  - Uses dynamic `import()` for strict ESM environments where `require` is unavailable.

- **Obfuscation**
  - Encodes sensitive strings (for example, `child_process`) into hex buffers to evade naive WAF signatures.

- **Module Fallback**
  - Leverages `module.createRequire` to load modules in alternative contexts.

- **Universal Targeting**
  - Configurable endpoints:
    - Next.js: root `/`
    - Waku: RSC endpoints such as `/RSC/foo.txt`

---

## ๐Ÿš€ Installation

### Prerequisites

- `Node.js` **v18.0.0** or higher.

### Setup

```bash
git clone https://github.com/rsch-io/CVE-2025-55182-React2Shell.git
cd CVE-2025-55182-React2Shell

npm install form-data
```

---

## ๐Ÿ“– Usage

React2Shell is intended to be imported as a module into your own testing scripts.

### 1. Basic Exploit (Next.js Target)

Create a file named `exploit.js`:

```javascript
const React2Shell = require('./src/react2shell');

// Initialize with target base URL
const target = new React2Shell('http://localhost:3000');

// Execute command using the "standard" strategy
// Arguments: execute(command, endpoint, strategy)
target.execute('whoami', '/', 'standard');
```

Then run:

```bash
node exploit.js
```

> **Note**  
> - `endpoint` should be set to an RSC-enabled route (for example, `/`, `/RSC/foo.txt`, or framework-specific RSC endpoints).  
> - `strategy` can be changed (for example, `standard`, `async`, `obfuscated`, or any other strategy implemented in `react2shell`).

---

### 2. Targeting Waku / Custom Endpoints

Waku and other frameworks often expose RSC handling on specific routes:

```javascript
// Target a Waku application
// Note: Use 'async' strategy as Waku often runs in strict ESM
target.execute('ls -la', '/RSC/foo.txt', 'async');
```

---

### 3. WAF Evasion Mode

If the server blocks strings containing `child_process`, you can use the `obfuscated` strategy:

```javascript
target.execute('cat /etc/passwd', '/', 'obfuscated');
```

---

## ๐Ÿ›ก๏ธ Resolution & Remediation

`Update immediately.` Updated releases of React and affected downstream frameworks include hardened handling of user inputs to prevent unintended behavior.  
All users should upgrade to a **patched** version as soon as possible.

### โœ… Fixed Versions List

Below is the definitive list of patched versions. If your deployed version is lower than these, you are **`vulnerable`**.

| Software / Package | Branch / Type | ๐Ÿ›ก๏ธ Fixed / Safe Version(s)                               |
| ------------------ | ------------ | -------------------------------------------------------- |
| `React`            | Stable       | `19.0.1`, `19.1.2`, `19.2.1`                            |
| `Next.js`          | v15 (Stable) | `15.0.5`, `15.1.9`, `15.2.6`, `15.3.6`, `15.4.8`, `15.5.7` |
| `Next.js`          | v16 (Stable) | `16.0.7`                                                 |
| `Next.js`          | Canary       | `15.6.0-canary.58`                                      |

> **Warning for Next.js 14 users**  
> If you are using `Next.js 14.3.0-canary.77` or a later canary release, you are **`vulnerable`**.  
> You must downgrade to the latest stable `14.x` release immediately, as the vulnerability affects the experimental RSC implementation present in those canary builds.

---

## โš ๏ธ Disclaimer

This project is provided **for `educational` and authorized security testing purposes only**.  
Using this tool against systems **without explicit permission** is illegal and unethical.

The author(s) assume **no liability** for any misuse or damage caused by this tool.

---

## ๐Ÿ“„ License

This project is licensed under the **MIT License**. See the `LICENSE` file for details.