Share
## https://sploitus.com/exploit?id=76DCC668-3CA5-5CB0-82F5-BBC76D35E969
# React2Shell
A CLI tool to exploit prototype pollution vulnerabilities in React Server Components / Server Actions (CVE-2025-55182 & CVE-2025-66478), enabling remote code execution (RCE) on vulnerable servers.

**WARNING: This tool targets a critical vulnerability (CVSS 10.0) that is actively exploited in the wild.** Use **only** on systems you own or have explicit authorization to test.

## Legal Disclaimer
This tool is intended **solely for educational purposes, authorized security testing, penetration testing with permission, and vulnerability research**.

The author and contributors assume **no liability** for any misuse, damage, or legal consequences resulting from the use of this tool. You are fully responsible for ensuring your usage complies with all applicable laws, regulations, and terms of service.

Unauthorized use against systems without permission is illegal in most jurisdictions and may result in severe penalties.

## Installation

### From Source
```bash
git clone https://github.com/mantvmass/react2shell.git
cd react2shell
cargo build --release
```

The binary will be at `target/release/react2shell` (or `react2shell.exe` on Windows).

### Pre-compiled Binaries
Download from the [Releases](https://github.com/mantvmass/react2shell/releases) page.

## Usage
```bash
react2shell [COMMAND] [SOURCE]
```

### Commands
- `open `: Open an interactive reverse shell on the target (if vulnerable).
- `scan `: Scan a list of targets from a file (one URL per line) for vulnerability.

### Examples
```bash
# Open interactive shell
react2shell open http://vulnerable-target.com

# Scan multiple targets
react2shell scan targets.txt
```

## Affected Versions

### Next.js
Applications using **React Server Components** with the **App Router** are affected when running the following versions:

- Next.js 15.x
- Next.js 16.x
- Next.js 14.3.0-canary.77 and later canary releases

The following are **not affected**:

- Next.js 13.x
- Next.js 14.x (stable releases)
- Applications using the Pages Router
- Edge Runtime deployments

### React
The vulnerability exists in **React versions 19.0, 19.1.0, 19.1.1, and 19.2.0** within the following packages:

- `react-server-dom-webpack`
- `react-server-dom-parcel`
- `react-server-dom-turbopack`

Immediate upgrades to patched versions are strongly recommended, especially for production environments.


## Mitigation
The primary fix is to **upgrade** to patched versions of React and Next.js.

For Next.js applications, use the official automated fixer:

```bash
npx fix-react2shell-next
```

More info: [vercel-labs/fix-react2shell-next](https://github.com/vercel-labs/fix-react2shell-next)

See official advisories:
- React: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Next.js: https://nextjs.org/blog/CVE-2025-66478

## License
This project is released for educational and authorized security research purposes only. All responsibility for usage lies with the end user.