## https://sploitus.com/exploit?id=4AAF9E9B-A9AC-56F6-9743-5B6764154CA6
# Original PoCs for CVE-2025-55182
As public PoCs are circulating and [Google's Scanner](https://github.com/google/tsunami-security-scanner-plugins/commit/107447fda6ab86aa1ed703af9560a98d7c16f104) uses a variation of my original submitted PoC, it's finally a responsible time to share my original PoCs for [React2Shell](https://react2shell.com).
This repository contains 3 PoCs:
- `00-very-first-rce-poc` - the very first PoC I managed to develop for RCE. Only directly works on dev builds of Next.js sites that use Webpack.
- `01-submitted-poc.js` (the main one) - the exact PoC I submitted to Meta, far simpler and effective
- `02-meow-rce-poc` - the PoC hashed and [posted as proof by Sylvie](https://twitter.com/_sy1vi3/status/1994948792295330278) on November 29th, shortly before initial disclosure to Meta
## TL;DR
Many other people have explained their PoCs, but here's my very brief explainer:
- `$@x` gives you access to a `Chunk`
- We plant its `then` on our own object
- The JS runtime automatically unravels nested promises (really, anything with a `.then` function)
- We now re-enter the parser, but with control of a malicious fake `Chunk` object
- Planting things on `_response` lets us access a _lot_ of gadgets when this happens
- (insert several options here)
- RCE
## Some Differences in PoC
You might notice my PoC has a funny thing going on in `then`. This was a nice primitive I was using for 'chaining' multiple chunks together, where `resolve` is passed to `Array.map` to let me "hop" to another chunk defined in `$0`.
The publicly recreated PoC circulating doesn't do this, as it's not necessary when just doing a single jump. It was nice to see that the re-created PoC did otherwise use the same `_formData` gadget that mine did - but the `00-` PoC is a wild ride, if you dare try to read it :)
## Full Writeup
Soon.