Share
## https://sploitus.com/exploit?id=C396F3CF-1130-57A6-835A-BBFF6CAA9620
# React2Shell PoC (CVE-2025-55182)

A Proof-of-Concept (PoC) script for **React2Shell** (CVE-2025-55182), a critical remote code execution (RCE) vulnerability affecting Next.js applications using Server Actions.

> [!WARNING]
> **Disclaimer**: This tool is for educational and authorized testing purposes only. I am not responsible for any misuse.

## Description

This script exploits an insecure deserialization vulnerability in the React Server Components "Flight" protocol. It allows unauthenticated attackers to execute arbitrary JavaScript code on the server, leading to partial Remote Code Execution (RCE).

## Features

- **Robust Payload**: Uses a compatibility check to find `require` (`global.require` or via the module constructor), ensuring it works on modern Node.js versions (v14+).
- **Dynamic Configuration**: Specify target URL and command via CLI flags.
- **Error Handling**: Graceful handling of connection errors.

## Installation

1.  Clone the repository.
2.  Install dependencies:

```bash
pip install -r requirements.txt
```

## Usage

```bash
python3 react2shell.py -u  [-c ]
```

| Argument | Description | Default |
| :--- | :--- | :--- |
| `-u`, `--url` | **Required**. The target URL (e.g., `http://localhost:3000/`). | N/A |
| `-c`, `--cmd` | Optional. The command to execute on the server. | `id` |

### Examples

**Check user identity:**
```bash
python3 react2shell.py -u http://127.0.0.1:3000/
```

**List directory contents:**
```bash
python3 react2shell.py -u http://127.0.0.1:3000/ -c "ls -la"
```

**Read a sensitive file:**
```bash
python3 react2shell.py -u http://127.0.0.1:3000/ -c "cat /etc/passwd"
```

## Technical Analysis

The exploit leverages a **Prototype Pollution** and **Insecure Deserialization** chain within the Next.js Server Actions handling of React Server Components (RSC).

1.  **Entry Point**: The `Next-Action` header signals the server to process a Server Action.
2.  **Prototype Pollution**: The JSON payload injects a malicious `then` property (`"$1:__proto__:then"`). This tricks the server's asynchronous request handler into treating the payload as a "Thenable" (Promise-like object).
3.  **Code Injection**: When the server attempts to resolve this fake Promise, it processes the `_response` object. The `_prefix` field is normally used for internal stream buffering, but by manipulating it, we can inject raw JavaScript.
4.  **Sandbox Bypass**: In modern Next.js/Webpack environments, the `require` function is often stripped from the global scope to prevent RCE. The script bypasses this by traversing the `process.mainModule` prototype chain:
    ```javascript
    var require = global.require || global.process.mainModule.constructor._load;
    ```
    This retrieves the internal module loader, allowing us to import `child_process` and execute system commands.
5.  **Execution and Exfiltration**: The injected code runs synchronously (`execSync`), and the output is thrown as an Error object. This error is serialized and returned to the client in the HTTP response body, allowing us to see the command output.

## Acknowledgements

This tool was developed with the assistance of **Gemini 3 Pro**.