Share
## https://sploitus.com/exploit?id=C680DC1C-F3AB-514C-BB39-EE0677352123
# π₯React2Shell - CVE-2025-55182 / CVE-2025-66478 Proof of Concept
[](https://hub.docker.com/r/ihsansencan/react2shell)
[](https://hub.docker.com/r/ihsansencan/react2shell)
[](https://hub.docker.com/r/ihsansencan/react2shell)
[](https://github.com/ihsansencan/React2Shell-CVE-2025-55182/blob/main/LICENSE)
> **Critical Security Vulnerability Demo** - CVSS 10.0 - Remote Code Execution in React Server Components
## β οΈDISCLAIMER
**FOR EDUCATIONAL PURPOSES ONLY!**
This repository demonstrates a critical security vulnerability.
Never use on production systems or exposed networks.
## π¨Vulnerability Details
- **CVE ID:** CVE-2025-55182 (React) / CVE-2025-66478 (Next.js)
- **CVSS Score:** 10.0 (CRITICAL)
- **Affected:** Next.js 15.0.0 with React Server Components
- **Vulnerability:** Remote Code Execution via RSC protocol
- **Fixed in:** next@15.0.5, next@15.1.9, next@16.0.7
## π³ Docker Hub
## https://hub.docker.com/r/ihsansencan/react2shell
```bash
# Pull and run directly
docker run -p 3000:3000 ihsansencan/react2shell:latest
# CVE
docker run -p 3000:3000 ihsansencan/react2shell:cve-2025-55182
docker run -p 3000:3000 ihsansencan/react2shell:cve-2025-66478
# Versioned
docker run -p 3000:3000 ihsansencan/react2shell:v1.0
```
## π οΈQuick Start
```bash
# 1. Build the vulnerable container
docker build -t cve-2025-55182-poc .
# 2. Run the demo
docker run -p 3000:3000 --name react2shell cve-2025-55182-poc
# 3. Open browser
# http://localhost:3000
```
## π§ Features
- -Modern UI pretending to be a "code playground"
- Interactive RCE interface
- Multiple payload examples
- Real-time execution results
- Educational exploit demonstration
## π‘οΈ Security Impact
The vulnerability allows:
- Remote command execution as root
- Filesystem access
- Network reconnaissance
- Potential container escape
- Full system compromise
π Project Structure
```text
/react2shell-cve-2025-55182/
βββ Dockerfile # Vulnerable container setup
βββ pages/
β βββ index.js # Frontend UI (disguised as dev tool)
β βββ api/
β βββ rce.js # Vulnerable RCE endpoint
βββ package.json # Next.js 15.0.0 (vulnerable)
βββ README.md
βββ LICENSE
βββ img/
β βββ demo1.png # Demo 1 img
β βββ demo2.png # Demo 1 img
β βββ demo3.png # Demo 1 img
β βββ demo4.png # Demo 1 img
β βββ demo15.png # Demo 1 img
```
π Demo Screenshot





π Patching
```bash
# IMMEDIATE FIX
npm install next@15.0.5 react@18.2.0 react-dom@18.2.0
```
**Happy Coding! π»**
*Made with β€οΈ by [Ihsan Sencan](https://github.com/ihsansencan)*
β **Star this repo if you find it useful!** β
[](https://github.com/ihsansencan)
[](https://github.com/ihsansencan/React2Shell-CVE-2025-55182/stargazers)