Share
## https://sploitus.com/exploit?id=676E78A9-62AB-5746-8E1A-9F2EA237FB48
# CVE-2025-55182 (React2Shell) Reproduction Environment

> **โš ๏ธ EDUCATIONAL PURPOSE ONLY**
>
> This repository is created strictly for educational and research purposes. It demonstrates a critical vulnerability in React Server Components (Next.js) to help developers understand the risks and importance of updating their dependencies.
>
> **DO NOT USE THIS CODE IN PRODUCTION OR AGAINST SYSTEMS YOU DO NOT OWN.**

## Overview

This project reproduces **CVE-2025-55182** (also known as "React2Shell"), a Remote Code Execution (RCE) vulnerability affecting React Server Components in Next.js applications.

- **Vulnerability:** Unauthenticated RCE via Prototype Pollution in RSC parser.
- **Affected Versions:** React < 19.0.0 (specifically experimental builds), Next.js < 15.0.3 (specifically 15.0.0 in this demo).
- **Mechanism:** The attacker sends a crafted `multipart/form-data` request that exploits the deserialization logic of React Server Components to execute arbitrary JavaScript code on the server.

## Project Structure

- **`app/page.js`**: Contains the **Interactive Exploit Dashboard**. This Client Component allows you to run RCE commands directly from the browser.
- **`app/actions.js`**: Contains a standard Server Action. The vulnerability lies in the framework's parsing logic before this action is executed.
- **`exploit.js`**: A standalone Node.js script to demonstrate the exploit programmatically.


## Setup & Installation

### Prerequisites
- Node.js (v18 or later recommended)
- NPM
- (Optional) [nvm](https://github.com/nvm-sh/nvm) for version management

### Installation

1.  Clone the repository:
    ```bash
    git clone https://github.com/pkrasulia/CVE-2025-55182-NextJS-RCE-PoC.git
    cd react-cve-test
    ```

2.  (Optional) Use the correct Node.js version:
    ```bash
    nvm use
    ```

3.  Install dependencies (this will install the vulnerable versions):
    ```bash
    npm ci --legacy-peer-deps
    # OR
    npm install --force
    ```

4.  Start the development server:
    ```bash
    npm run dev
    ```

The server should start on `http://localhost:3000`.

## How to Reproduce RCE

### Method 1: Interactive Dashboard (Recommended)

1.  Open `http://localhost:3000` in your browser.
2.  You will see the "CVE-2025-55182 Demo" page.
3.  In the **Attacker Panel**, enter a command (e.g., `whoami`, `ls -la`, or `cat package.json`).
4.  Click **SEND EXPLOIT**.
5.  Observe the command output in the **Attack Terminal** on the right.

### Method 2: Command Line (Node.js)

You can run the exploit script directly from your terminal:

```bash
# Basic usage
node exploit.js http://localhost:3000 "whoami"

# Open Calculator (Linux) - use '&' to run in background
node exploit.js http://localhost:3000 "gnome-calculator &"
```

## Mitigation

To fix this vulnerability in your own projects:

1.  **Update Next.js**: Upgrade to Next.js **15.0.3** or later.
    ```bash
    npm install next@latest react@latest react-dom@latest
    ```
2.  **Audit Dependencies**: Ensure no other packages are forcing older versions of React/Next.js.

## Disclaimer

The author is not responsible for any misuse of this information. This project is intended to help security researchers and developers improve the security of their applications.