## https://sploitus.com/exploit?id=BF8189AB-F7C9-5834-8090-866477989E81
# CVE-2025-55182 Scanner & Exploit Lab
This repository contains a comprehensive scanner and exploit tool for **CVE-2025-55182**, a critical Remote Code Execution (RCE) vulnerability in React Server Components (RSC). It also includes a realistic "Lab Environment" to safely test and understand the vulnerability.
## โ ๏ธ Disclaimer
**This tool is for educational and authorized testing purposes only.** Do not use this tool on systems you do not own or have explicit permission to test. The authors are not responsible for any misuse.
## Project Structure
* `CVE-2025-55182.py`: The main Python tool for scanning and exploiting.
* `server.js`: A vulnerable Node.js server (React 19.0.0).
* `index.html`: The lab UI (System Dashboard).
* `flag.txt`: The capture-the-flag target (protected from web access).
* `Dockerfile`: For containerizing the lab.
* `vulnerability.md`: Detailed technical analysis of the CVE.
## Lab Setup
### Option 1: Docker (Recommended)
Build and run the vulnerable container:
```bash
docker build -t cve-2025-55182-lab .
docker run -p 3002:3002 cve-2025-55182-lab
```
Access the lab at `http://localhost:3002`.
### Option 2: Manual Setup
Requires Node.js 18+.
```bash
npm install
npm start
```
## Tool Usage
### Scan Mode
Check if a target is vulnerable.
```bash
python3 CVE-2025-55182.py scan -u http://localhost:3002/formaction
```
* `-u `: Target URL.
* `-f `: File containing list of URLs.
### Exploit Mode
Open an interactive shell on the target.
```bash
python3 CVE-2025-55182.py exploit -u http://localhost:3002/formaction
```
Once in the shell, you can execute commands like `ls`, `whoami`, or `cat flag.txt`.
## The Challenge
The lab features a **Restricted Area**. The file `flag.txt` is located on the server but is configured to return a **403 Forbidden** (simulated 404) when accessed via the web browser.
**Goal:** Use the exploit tool to bypass the web restriction and read the content of `flag.txt`.
## Vulnerability Details
See [VULNERABILITY.md](VULNERABILITY.md) for a deep dive into the root cause, gadget chains, and remediation.