Share
## https://sploitus.com/exploit?id=CDF04859-BAB9-580B-AD30-B6694C5AD7A1
# React2Shell Vulnerable Banking Application Lab
Deliberately vulnerable banking app for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) to learn, detect, and safely exercise React2Shell. Runs unpatched React 19.0.0 and Next.js 15.0.3.
## Overview
- Fictional SecureBank built with Next.js App Router and Server Actions.
- Default configuration, no custom dangerous code, intentionally left unpatched.
- Designed to study insecure deserialization in the RSC “Flight” protocol and to practice detection/mitigation.
## Quick start (Docker recommended)
```bash
# 1. Start the lab
docker-compose up -d
# 2. Open the app
http://localhost:3000
# 3. Stop when done
docker-compose down
```
Demo credentials:
```
admin / admin123
johndoe / password123
janedoe / password456
```
## Manual setup and dev mode
Production-like manual run:
```bash
npm install --legacy-peer-deps
npm run build
npm start
# Visit http://localhost:3000
```
Development with hot reload:
```bash
npm install --legacy-peer-deps
npm run dev
```
Notes:
- Always use --legacy-peer-deps because of intentional version pinning.
- If port 3000 is busy, change the mapping in docker-compose.yml (e.g., 3001:3000) or export PORT before starting.
## Quick operational status
- Container: react2shell-vulnerable-bank
- Port: 3000 (expects HTTP 200 OK)
- Vulnerable versions: React 19.0.0, Next.js 15.0.3
Helpful commands:
```bash
docker-compose ps
docker-compose logs -f vulnerable-bank
docker-compose restart
docker-compose build --no-cache && docker-compose up -d
```
## Vulnerability summary (React2Shell)
- CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) allow unauthenticated RCE via insecure deserialization in RSC.
Relevant affected versions:
- React: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- Next.js: >=14.3.0-canary.77, all 15.x, 16.x unpatched
## Exploitation reality
- No publicly known RCE exploit for a default app; react2shell.com says “Watch this space.”
- PoCs that manually expose child_process, vm, or fs are not representative.
## References
- Vercel/Next.js Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
- The Hacker News: https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
- Slcyber RSC detection: https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/
- Assetnote React2Shell scanner: https://github.com/assetnote/react2shell-scanner
- React2Shell info hub: https://react2shell.com/
- Wiz analysis: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
- Akamai research: https://www.akamai.com/blog/security-research/cve-2025-55182-react-nextjs-server-functions-deserialization-rce