## https://sploitus.com/exploit?id=F91EBA06-DBB6-51A2-9C2E-C7EDB992E9D4
# React2Shell (CVE-2025-55182) โ Local RSC Security Demo
โ ๏ธ **WARNING**
This repository is for **educational and defensive security research only**.
Do **NOT** attempt to run this code against:
- Production systems
- Public websites
- Servers you do not own or have explicit permission to test
Unauthorized exploitation of vulnerabilities can be illegal.
---
## ๐ Overview
This repository demonstrates the **real-world impact** of
**React2Shell (CVE-2025-55182)** โ a critical Remote Code Execution (RCE)
vulnerability affecting **React Server Components (RSC)** and frameworks
such as **Next.js**.
The demo shows how unsafe deserialization in vulnerable environments
can lead to:
- Server-side code execution
- Filesystem access
- Directory enumeration
All testing was performed **locally** in a controlled environment.
---
## ๐งช Demo Scenarios
The demo script contains three isolated examples:
1. **Minimal RCE proof**
- Logs a message from server-side execution
2. **Filesystem write**
- Creates a file in the server working directory
3. **Directory enumeration**
- Lists files from the server process directory
These examples are intentionally simple to highlight **impact**, not exploitation.
---
## ๐ง High-Level Simulation Steps (Local Only)
1. Create a **local Next.js test application**
2. Run it in a **controlled development environment**
3. Ensure the environment reflects a **vulnerable configuration**
4. Execute the demo script from a browser context
5. Observe server-side logs and filesystem changes
โ ๏ธ No public deployment is required or recommended.
---
## ๐ก๏ธ Mitigation Guidance
If you use React Server Components:
- Upgrade React and Next.js to patched versions immediately
- Audit server actions and RSC boundaries
- Treat serialization/deserialization as a high-risk surface
- Monitor server logs for anomalous RSC payloads
---
## ๐ References
- React2Shell official site: https://react2shell.com/
- React security advisory:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Original research & PoC:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
---
## โ๏ธ Legal & Ethical Notice
This project is intended to **raise awareness** and help developers
understand the severity of RCE vulnerabilities.
The author is **not responsible** for misuse of this code.