React2Shell is a Python-based scanner and exploitation toolkit targeting React/Spring/GraphQL stacks. It mixes endpoint discovery, stealthy HTTP behavior, and payload mutation to exercise potentially vulnerable deployments, including routines tuned for the documented CVE-2025-55182 and CVE-2025-66478 vectors.
- Multi-mode CLI supporting bulk scanning, direct exploitation, CVE-focused sweeps, and an interactive menu.
- Endpoint discovery via sitemap parsing, JavaScript analysis, and curated actuator/GraphQL paths.
- WAF-evasion helpers that randomize headers, mutate payloads, and add jitter between requests.
- Protocol hopping (HTTP/HTTPS), tech fingerprinting, and subdomain probing to widen coverage.
- Built-in payload sets for command execution and CVE-specific exploitation attempts.
- Python 3.8+
- Dependencies:
requests,urllib3(others in the standard library)
Install the dependencies with:
python3 -m venv .venv
source .venv/bin/activate
pip install requests urllib3Display the built-in help:
python cracker.py -hpython cracker.py scan targets.txt reports/prefix- Reads URLs from
targets.txtand writes JSON reports using the given prefix.
python cracker.py exploit reports/prefix.json- Loads a previously generated report and reruns exploitation attempts.
python cracker.py direct https://target.example --test-all- Probes all known endpoints for the target. Add options such as
-e /api/graphqlto focus on one path,-c "whoami"to change the command, or--aggressiveto enable stronger WAF bypassing.
python cracker.py cve-scan targets.txt -o cve_results.txt- Runs payloads tailored to CVE-2025-55182 and CVE-2025-66478 across the provided targets.
python cracker.py menu- Launches an interactive workflow for discovery, exploitation, and persistence checks.
- The tool intentionally disables certificate verification for convenience; use it only in controlled environments.
- Commands are for educational and authorized testing purposes. Ensure you have permission before scanning or exploiting any target.