## https://sploitus.com/exploit?id=B6DF5D9C-E504-5322-8574-48D65B0CE00F
# fix-react2shell
A CLI tool to detect and fix the critical **CVE-2025-55182** (React2Shell) vulnerability in React Server Components and Next.js applications.
## The Vulnerability
**CVE-2025-55182** is a critical (CVSS 10.0) unauthenticated remote code execution vulnerability affecting:
- **React Server DOM packages** (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0)
- **Next.js** (versions 14.3.0-canary.77 through unpatched 15.x and 16.x)
The vulnerability is an unsafe deserialization flaw in the React Server Components Flight protocol. Exploitation requires only a crafted HTTP request, and public exploit code is available.
**There is no workaround** โ upgrading to a patched version is required.
### More Information
- [React Official Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [Next.js Security Advisory](https://nextjs.org/blog/CVE-2025-66478)
- [Vercel Summary](https://vercel.com/changelog/cve-2025-55182)
## Installation
### Option 1: Run directly with npx
```bash
npx @amirmalek/fix-react2shell
```
### Option 2: Clone this repository
```bash
git clone https://github.com/amir-malek/react-cve-2025-55182.git
cd react-cve-2025-55182
node fix-react2shell.js
```
### Option 3: Download the script
```bash
curl -O https://raw.githubusercontent.com/amir-malek/react-cve-2025-55182/main/fix-react2shell.js
node fix-react2shell.js
```
## Usage
Navigate to your React/Next.js project directory and run:
```bash
# Dry-run mode (default) - shows what would be upgraded
npx @amirmalek/fix-react2shell
# Actually perform the upgrades
npx @amirmalek/fix-react2shell --fix
# Show detailed version information
npx @amirmalek/fix-react2shell --verbose
# Show help
npx @amirmalek/fix-react2shell --help
```
## Example Output
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2025-55182 (React2Shell) Vulnerability Scanner โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Package manager: yarn
Project: my-nextjs-app
โ Found 1 vulnerable package(s):
โ next
Current: 15.3.5 โ Safe: 15.3.7
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
DRY RUN MODE - No changes made.
Run with --fix to upgrade packages.
Command that would be run:
yarn add next@15.3.7
```
## Features
- **Smart Detection** โ Only flags actually vulnerable versions, not all React 19 projects
- **Multi-Package Manager Support** โ Automatically detects and uses npm, yarn, or pnpm
- **Safe by Default** โ Runs in dry-run mode unless `--fix` is explicitly passed
- **Zero Dependencies** โ Uses only Node.js built-in modules
- **Portable** โ Works in any project directory
## Vulnerable Versions
### React Server DOM Packages
| Package | Vulnerable | Safe |
|---------|-----------|------|
| `react-server-dom-webpack` | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| `react-server-dom-parcel` | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| `react-server-dom-turbopack` | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
### Next.js
| Branch | Safe Version |
|--------|-------------|
| 15.0.x | 15.0.5 |
| 15.1.x | 15.1.9 |
| 15.2.x | 15.2.6 |
| 15.3.x | 15.3.7 |
| 15.4.x | 15.4.8 |
| 15.5.x | 15.5.7 |
| 16.0.x | 16.0.7 |
## After Upgrading
Once you have patched your versions and redeployed your application, it is **strongly recommended** to:
1. **Rotate all application secrets** (API keys, database credentials, JWT secrets, etc.)
2. **Review application logs** for any signs of prior exploitation
3. **Audit your infrastructure** if you suspect compromise
## License
MIT
## Contributing
Issues and pull requests are welcome at [github.com/amir-malek/react-cve-2025-55182](https://github.com/amir-malek/react-cve-2025-55182).