Share
## https://sploitus.com/exploit?id=C680DC1C-F3AB-514C-BB39-EE0677352123
# πŸ”₯React2Shell - CVE-2025-55182 / CVE-2025-66478 Proof of Concept

[![Docker Image Size](https://img.shields.io/docker/image-size/ihsansencan/react2shell/latest)](https://hub.docker.com/r/ihsansencan/react2shell)
[![Docker Pulls](https://img.shields.io/docker/pulls/ihsansencan/react2shell)](https://hub.docker.com/r/ihsansencan/react2shell)
[![Docker Stars](https://img.shields.io/docker/stars/ihsansencan/react2shell)](https://hub.docker.com/r/ihsansencan/react2shell)
[![GitHub license](https://img.shields.io/github/license/ihsansencan/React2Shell-CVE-2025-55182)](https://github.com/ihsansencan/React2Shell-CVE-2025-55182/blob/main/LICENSE)

> **Critical Security Vulnerability Demo** - CVSS 10.0 - Remote Code Execution in React Server Components

## ⚠️DISCLAIMER
**FOR EDUCATIONAL PURPOSES ONLY!**  
This repository demonstrates a critical security vulnerability.  
Never use on production systems or exposed networks.

## 🚨Vulnerability Details
- **CVE ID:** CVE-2025-55182 (React) / CVE-2025-66478 (Next.js)
- **CVSS Score:** 10.0 (CRITICAL)
- **Affected:** Next.js 15.0.0 with React Server Components
- **Vulnerability:** Remote Code Execution via RSC protocol
- **Fixed in:** next@15.0.5, next@15.1.9, next@16.0.7

## 🐳 Docker Hub
## https://hub.docker.com/r/ihsansencan/react2shell
```bash
# Pull and run directly
docker run -p 3000:3000 ihsansencan/react2shell:latest

# CVE
docker run -p 3000:3000 ihsansencan/react2shell:cve-2025-55182
docker run -p 3000:3000 ihsansencan/react2shell:cve-2025-66478

# Versioned
docker run -p 3000:3000 ihsansencan/react2shell:v1.0

```

## πŸ› οΈQuick Start
```bash
# 1. Build the vulnerable container
docker build -t cve-2025-55182-poc .

# 2. Run the demo
docker run -p 3000:3000 --name react2shell cve-2025-55182-poc

# 3. Open browser
# http://localhost:3000
```
## πŸ”§ Features
 - -Modern UI pretending to be a "code playground"
 - Interactive RCE interface
 - Multiple payload examples
 - Real-time execution results
 - Educational exploit demonstration

##  πŸ›‘οΈ Security Impact
The vulnerability allows:
 - Remote command execution as root
 - Filesystem access
 - Network reconnaissance
 - Potential container escape
 - Full system compromise

πŸ“ Project Structure
```text
/react2shell-cve-2025-55182/
β”œβ”€β”€ Dockerfile        # Vulnerable container setup
β”œβ”€β”€ pages/
β”‚   β”œβ”€β”€ index.js      # Frontend UI (disguised as dev tool)
β”‚   └── api/
β”‚       └── rce.js    # Vulnerable RCE endpoint
β”œβ”€β”€ package.json      # Next.js 15.0.0 (vulnerable)
└── README.md
└── LICENSE
β”œβ”€β”€ img/
β”‚   β”œβ”€β”€ demo1.png     # Demo 1 img
β”‚   β”œβ”€β”€ demo2.png     # Demo 1 img
β”‚   β”œβ”€β”€ demo3.png     # Demo 1 img
β”‚   β”œβ”€β”€ demo4.png     # Demo 1 img
β”‚   β”œβ”€β”€ demo15.png    # Demo 1 img
```
πŸš€ Demo Screenshot

![alt text](img/demo1.png)
![alt text](img/demo2.png)
![alt text](img/demo3.png)
![alt text](img/demo4.png)
![alt text](img/demo5.png)

πŸ”’ Patching
```bash
# IMMEDIATE FIX
npm install next@15.0.5 react@18.2.0 react-dom@18.2.0
```



**Happy Coding! πŸ’»**

*Made with ❀️ by [Ihsan Sencan](https://github.com/ihsansencan)*

⭐ **Star this repo if you find it useful!** ⭐

[![GitHub followers](https://img.shields.io/github/followers/ihsansencan?label=Follow&style=social)](https://github.com/ihsansencan)
[![GitHub stars](https://img.shields.io/github/stars/ihsansencan/React2Shell-CVE-2025-55182?style=social)](https://github.com/ihsansencan/React2Shell-CVE-2025-55182/stargazers)