Welcome to React2Shell-CTF, a Dockerized environment designed to practice exploiting React2Shell (CVE-2025-55182).
React2Shell is a critical vulnerability affecting React-based applications. This repository provides a safe, locally deployable Capture The Flag (CTF) challenge to help you understand and mitigate this flaw. Can you pop a Reverse Shell? 🐚
For a full technical explanation of CVE-2025-55182, please visit the official informational website:
👉 react2shell.com 👈
IMPORTANT! READ BEFORE PROCEEDING
This project is created strictly for educational and learning purposes.
- 🚫 We do not condone or promote illegal activities.
- 🎓 The goal is to provide a safe environment for developers and security professionals to understand how this vulnerability works.
- 🛡️ The best way to protect oneself is by understanding the vulnerability.
Using this material to attack targets without prior mutual consent is illegal.
Stuck? Check out the step-by-step guides (now with Native Node.js Payload!):
The vulnerability (CVE-2025-55182) exists in how the React Server Components deserializer handles specific object properties.
- Injection: The attacker sends a malicious JSON payload via a Multipart
POSTrequest. - Deserialization: The server parses the JSON.
- Property Gadget: The
_response._prefixproperty is mistrusted by the server. Instead of treating it as data, the server evaluates it as code. - RCE: This
eval()allows arbitary Javascript execution, leading to Remote Code Execution (RCE) and full system compromise.
- Docker & Docker Compose
git clone https://github.com/yz9yt/React2Shell-CTF.git
cd React2Shell-CTF
sudo docker-compose up --buildNote: Use
--buildto ensurenetcatis installed for the Reverse Shell challenge!
The challenge will be available at: http://localhost:5555
- Analyze the
server.jscode. - Craft a payload to execute code.
- Bonus: Can you pop a Reverse Shell? 🐚
Happy Hacking! 🕵️♂️
Created by @yz9yt 🐦