Share
## https://sploitus.com/exploit?id=F91EBA06-DBB6-51A2-9C2E-C7EDB992E9D4
# React2Shell (CVE-2025-55182) โ€” Local RSC Security Demo

โš ๏ธ **WARNING**
This repository is for **educational and defensive security research only**.

Do **NOT** attempt to run this code against:

- Production systems
- Public websites
- Servers you do not own or have explicit permission to test

Unauthorized exploitation of vulnerabilities can be illegal.

---

## ๐Ÿ“Œ Overview

This repository demonstrates the **real-world impact** of
**React2Shell (CVE-2025-55182)** โ€” a critical Remote Code Execution (RCE)
vulnerability affecting **React Server Components (RSC)** and frameworks
such as **Next.js**.

The demo shows how unsafe deserialization in vulnerable environments
can lead to:

- Server-side code execution
- Filesystem access
- Directory enumeration

All testing was performed **locally** in a controlled environment.

---

## ๐Ÿงช Demo Scenarios

The demo script contains three isolated examples:

1. **Minimal RCE proof**

   - Logs a message from server-side execution

2. **Filesystem write**

   - Creates a file in the server working directory

3. **Directory enumeration**
   - Lists files from the server process directory

These examples are intentionally simple to highlight **impact**, not exploitation.

---

## ๐Ÿ”ง High-Level Simulation Steps (Local Only)

1. Create a **local Next.js test application**
2. Run it in a **controlled development environment**
3. Ensure the environment reflects a **vulnerable configuration**
4. Execute the demo script from a browser context
5. Observe server-side logs and filesystem changes

โš ๏ธ No public deployment is required or recommended.

---

## ๐Ÿ›ก๏ธ Mitigation Guidance

If you use React Server Components:

- Upgrade React and Next.js to patched versions immediately
- Audit server actions and RSC boundaries
- Treat serialization/deserialization as a high-risk surface
- Monitor server logs for anomalous RSC payloads

---

## ๐Ÿ“š References

- React2Shell official site: https://react2shell.com/
- React security advisory:  
  https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Original research & PoC:  
  https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc

---

## โš–๏ธ Legal & Ethical Notice

This project is intended to **raise awareness** and help developers
understand the severity of RCE vulnerabilities.

The author is **not responsible** for misuse of this code.