## https://sploitus.com/exploit?id=592AD523-CD79-5206-A374-43F8E2C1AEE3
# CVE-2025-55182 Security Lab ("React2Shell")
This repository contains a local academic lab for analyzing `CVE-2025-55182` in a controlled React Server Components environment. The lab simulates the vulnerability, its exploitation, and the applied patch.
## ๐ Repository Layout
### Core Applications
- **`app/vulnerable/`**: The vulnerable React application profile.
- `src/framework/entry.rsc.tsx`: Contains the **insecure deserialization** point where `__flight_action` payloads are executed via `execSync()`.
- Simulates the behavior of unpatched `react-server-dom-webpack@19.0.0`.
- **`app/patched/`**: The patched React application profile.
- `src/framework/entry.rsc.tsx`: Contains the **mitigation logic** that blocks `__flight_action` payloads with a 403 response before deserialization.
### Infrastructure & Execution
- **`infra/`**: Docker configurations for isolated execution.
- `docker-compose.yml`: Spins up both vulnerable (port 3100) and patched (port 3200) profiles.
- **`scripts/`**: Automation and exploit scripts.
- `exploit-shell.ps1`: An **interactive exploit shell** that leverages the vulnerability to provide a simulated remote terminal (`root@container$`).
- `run-scenarios.ps1`: Wrapper script to execute the automated evaluation tests in `tests/run-scenarios.mjs`.
- `start-lab.ps1`: Helper script to quickly start the Docker Compose environment.
- `stop-lab.ps1`: Helper script to shut down and clean up the Docker Compose environment.
- `demo-lab.ps1`: Alternative demo script that runs both apps locally (without Docker) and sends a sequence of test requests.
### Documentation & Evaluation
- **`report/`**: Contains the final analysis.
- `findings.md`: The comprehensive security report covering the attack chain, CVSS analysis, evaluation metrics, and mitigation recommendations.
- `CSE472_ProjectProposal_Revised.md`: The revised project proposal and methodology documentation.
- **`tests/`**: Automated evaluation.
- `run-scenarios.mjs`: Node.js script that runs normal, suspicious, and exploit scenarios against both profiles, calculating success and detection rates.
- **`logs/`**: Telemetry outputs.
- `vulnerable-requests.log` & `patched-requests.log`: Store detailed request traces, including `suspiciousReasons` for analysis.
---
## ๐ Quick Start Guide (For Downloaded Zip)
If you have downloaded this project as a `.zip` file from GitHub, follow these steps to run the lab and interact with the vulnerability simulation on your local machine.
### Prerequisites
1. **Docker Desktop** installed and running.
2. **Node.js** (v18 or higher) installed for running the test scripts.
3. **PowerShell** (available by default on Windows).
> **Note on PowerShell Execution Policy:** If you encounter an error stating that the script `cannot be loaded` or `is not digitally signed` when running `.ps1` files, you need to bypass the execution policy for your current session. Run this command in your PowerShell window before executing the scripts:
> ```powershell
> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
> ```
> *(Since the scope is "Process", you must run this command again in **every new PowerShell window or tab** you open!)*
### Step 1: Extract and Open
Extract the `.zip` file to your desired folder. Open a PowerShell window and navigate into the extracted project folder:
```powershell
cd path\to\extracted\folder
```
### Step 2: Start the Lab Environment
We use Docker to safely isolate the vulnerable application. Start the containers using the provided helper script:
```powershell
.\scripts\start-lab.ps1
```
*(Alternatively, you can manually run `cd infra; docker-compose up --build -d`)*
Once started:
- Vulnerable App runs on `http://localhost:3100`
- Patched App runs on `http://localhost:3200`
### Step 3: Access the Interactive Exploit Shell
With the environment running, you can test the Remote Code Execution (RCE) vulnerability by launching our simulated exploit shell. Open a new PowerShell tab/window and run:
```powershell
.\scripts\exploit-shell.ps1
```
This script acts as an attacker sending crafted payloads to the `.rsc` endpoint. Try running commands like:
- `whoami`
- `ls /workspace`
- `env`
- `cat /etc/passwd`
**To test the patched version:**
```powershell
.\scripts\exploit-shell.ps1 -Target "http://localhost:3200"
```
*You will notice the patched version blocks the request and returns a `[BLOCKED]` message.*
### Step 4: Run Automated Scenarios
To generate the evaluation metrics (Success Rate, Detection Rate), run the Node.js test script:
```powershell
node .\tests\run-scenarios.mjs
```
*(Or use the wrapper: `.\scripts\run-scenarios.ps1`)*
This will output a summary to the console and save a detailed JSON report in `tests/results/scenario-report.json`.
### Step 5: Stop the Lab
When you are done experimenting, you can safely shut down the containers to free up resources:
```powershell
.\scripts\stop-lab.ps1
```