Share
## https://sploitus.com/exploit?id=B6DF5D9C-E504-5322-8574-48D65B0CE00F
# fix-react2shell

A CLI tool to detect and fix the critical **CVE-2025-55182** (React2Shell) vulnerability in React Server Components and Next.js applications.

## The Vulnerability

**CVE-2025-55182** is a critical (CVSS 10.0) unauthenticated remote code execution vulnerability affecting:

- **React Server DOM packages** (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0)
- **Next.js** (versions 14.3.0-canary.77 through unpatched 15.x and 16.x)

The vulnerability is an unsafe deserialization flaw in the React Server Components Flight protocol. Exploitation requires only a crafted HTTP request, and public exploit code is available.

**There is no workaround** โ€” upgrading to a patched version is required.

### More Information

- [React Official Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [Next.js Security Advisory](https://nextjs.org/blog/CVE-2025-66478)
- [Vercel Summary](https://vercel.com/changelog/cve-2025-55182)

## Installation

### Option 1: Run directly with npx

```bash
npx @amirmalek/fix-react2shell
```

### Option 2: Clone this repository

```bash
git clone https://github.com/amir-malek/react-cve-2025-55182.git
cd react-cve-2025-55182
node fix-react2shell.js
```

### Option 3: Download the script

```bash
curl -O https://raw.githubusercontent.com/amir-malek/react-cve-2025-55182/main/fix-react2shell.js
node fix-react2shell.js
```

## Usage

Navigate to your React/Next.js project directory and run:

```bash
# Dry-run mode (default) - shows what would be upgraded
npx @amirmalek/fix-react2shell

# Actually perform the upgrades
npx @amirmalek/fix-react2shell --fix

# Show detailed version information
npx @amirmalek/fix-react2shell --verbose

# Show help
npx @amirmalek/fix-react2shell --help
```

## Example Output

```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘        CVE-2025-55182 (React2Shell) Vulnerability Scanner    โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Package manager: yarn
Project: my-nextjs-app

โš  Found 1 vulnerable package(s):

  โœ— next
    Current: 15.3.5 โ†’ Safe: 15.3.7

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
DRY RUN MODE - No changes made.
Run with --fix to upgrade packages.

Command that would be run:
  yarn add next@15.3.7
```

## Features

- **Smart Detection** โ€” Only flags actually vulnerable versions, not all React 19 projects
- **Multi-Package Manager Support** โ€” Automatically detects and uses npm, yarn, or pnpm
- **Safe by Default** โ€” Runs in dry-run mode unless `--fix` is explicitly passed
- **Zero Dependencies** โ€” Uses only Node.js built-in modules
- **Portable** โ€” Works in any project directory

## Vulnerable Versions

### React Server DOM Packages

| Package | Vulnerable | Safe |
|---------|-----------|------|
| `react-server-dom-webpack` | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| `react-server-dom-parcel` | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| `react-server-dom-turbopack` | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |

### Next.js

| Branch | Safe Version |
|--------|-------------|
| 15.0.x | 15.0.5 |
| 15.1.x | 15.1.9 |
| 15.2.x | 15.2.6 |
| 15.3.x | 15.3.7 |
| 15.4.x | 15.4.8 |
| 15.5.x | 15.5.7 |
| 16.0.x | 16.0.7 |

## After Upgrading

Once you have patched your versions and redeployed your application, it is **strongly recommended** to:

1. **Rotate all application secrets** (API keys, database credentials, JWT secrets, etc.)
2. **Review application logs** for any signs of prior exploitation
3. **Audit your infrastructure** if you suspect compromise

## License

MIT

## Contributing

Issues and pull requests are welcome at [github.com/amir-malek/react-cve-2025-55182](https://github.com/amir-malek/react-cve-2025-55182).