CVE-2025-55182 (also referred to as “React2Shell”) is a critical Remote Code Execution (RCE) vulnerability in the React Server Components (RSC) system. The issue occurs because the HTTP payload deserialization mechanism for “Server Functions” processes untrusted input insecurely, allowing an attacker to send a crafted request and trigger arbitrary code execution on the server — without authentication. The vulnerability has been rated CVSS 10.0 (Critical).
- ⚠ Vulnerable versions: 19.0.0, 19.1.0, 19.1.1, 19.2.0 of the RSC packages
(react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack). - ✅ Patched versions: 19.0.1, 19.1.2, 19.2.1.
- Any application using React Server Components (RSC) through Next.js or similar integrations may be vulnerable if it relies on the affected RSC versions.
- ⚠ Next.js vulnerable versions: various releases in the 15.x and 16.x series (including older canary builds using vulnerable RSC packages).
- ✅ Patched Next.js versions include: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.
This tool is created for educational purposes or authorized security assessments only.
Unauthorized scanning or exploitation of third-party systems is illegal and may violate service terms or criminal laws.
Use responsibly.
C:\Users\cirqueira>python --version
Python 3.11.0
requests
colorama
git clone https://github.com/CirqueiraDev/MassExploit-CVE-2025-55182.git
cd MassExploit-CVE-2025-55182
pip install requests colorama
python3 CVE-2025-55182.py <url_list.txt> <threads>
- Discord: Cirqueira
- You can contact me on Telegram or Instagram
- Small Community about IT world, leaks and more: RootNet
REMEMBER: All information and code provided on this profile are for educational purposes only. The creator is not responsible for any direct or indirect damage resulting from misuse of this material. Whatever you choose to do is entirely at your own risk and responsibility.