Share
## https://sploitus.com/exploit?id=7CE8A7CE-2773-569B-98E6-59DDA043CA45
# CVE-2025-55182 Mass Payload Attack (React2Shell)

A modified Mass RCE Exploit script for **CVE-2025-55182 (React2Shell)** targeting Next.js applications.

This tool is a **modification** of the original PoC script by `pax-k`. While the original script targets a single host, this version is enhanced to support **mass scanning** from a list of URLs, automating payload injection, command execution, and output parsing for efficient vulnerability assessment.

## ๐Ÿš€ Features

- **Mass Exploitation**: Accepts a file containing a list of target URLs (`list.txt`).
- **Automated Parsing**: Extracts the RCE output directly from the Next.js error digest (strips away HTML/JSON noise).
- **Custom Commands**: Execute any shell command across multiple targets dynamically.
- **Fast & Lightweight**: Built using `curl`, `openssl`, and standard bash utilities.

## ๐Ÿ”— References & Credits

Big appreciation to the security researchers and teams who uncovered this vulnerability:

* **Original Exploit Script**: Based on [pax-k/react2shell-CVE-2025-55182-full-rce-script](https://github.com/pax-k/react2shell-CVE-2025-55182-full-rce-script).
* **Discovery**: **Lachlan Davidson** (Discovered and responsibly disclosed the vulnerability).
* **Official Next.js Advisory**: **CVE-2025-66478**.
* **NVD Entry**: **CVE-2025-55182**.
* **Threat Intelligence**: Validated by AWS, Wiz, and other teams tracking in-the-wild exploitation.

## ๐Ÿ“‹ Prerequisites

Ensure you have a Linux environment (Kali Linux, Ubuntu, etc.) with the following installed:
* `bash`
* `curl`
* `openssl`
* `grep` & `cut`

## ๐Ÿ› ๏ธ Installation

1.  Clone or download the script.
2.  Make the script executable:

    ```bash
    chmod +x mass-pwn.sh
    ```

## ๐Ÿ’ป Usage

### 1. Prepare Target List

Create a text file (e.g., `list.txt`) and add your target URLs line by line. Ensure you include the protocol (`http://` or `https://`).

```bash
nano list.txt
Format:

Plaintext

[https://target-one.com](https://target-one.com)
[http://vulnerable-site.net](http://vulnerable-site.net)
[https://testing.corp.local:3000](https://testing.corp.local:3000)
2. Run the Exploit
Run the script by providing the target list file and the command you want to execute.

Syntax:

Bash

./mass-pwn.sh  ""
Examples:

Check current user on all targets:

Bash

./mass-pwn.sh list.txt "whoami"
Check hostname:

Bash

./mass-pwn.sh list.txt "hostname"
Attempt to read system files (if vulnerable):

Bash

./mass-pwn.sh list.txt "cat /etc/passwd"
โš ๏ธ Legal Disclaimer
FOR EDUCATIONAL PURPOSES ONLY.

This tool is developed and distributed solely for security research, authorized penetration testing, and educational purposes.

No Liability: The author and contributors are NOT responsible for any damage, data loss, server compromise, or legal issues caused by the misuse of this tool.

No Unauthorized Use: Do not use this tool against systems, networks, or applications that you do not own or do not have explicit, written permission to test.

Legal Consequences: Unauthorized access to computer systems is illegal and punishable by law. You are solely responsible for your actions and any legal consequences that may arise.

By using this script, you agree that you understand these terms and will not use this tool for malicious purposes.