A proof-of-concept exploitation tool for the critical "React2Shell" vulnerability affecting Next.js App Router and React Server Components.
This tool is for educational purposes and authorized security testing only. Unauthorized scanning or exploitation of systems you do not own is illegal. The author assumes no responsibility for misuse. Use responsibly.
This tool automates the exploitation of CVE-2025-55182, a deserialization vulnerability in the "Flight" protocol used by React Server Components (RSC).
It allows security researchers to verify the vulnerability by:
- Leaking Command Output: Executing commands and retrieving the output via error digests (Blind RCE bypass).
- Reverse Shells: Automating the injection of reverse shell payloads.
- Integrated Listener: Automatically spawning a Netcat listener to catch the shell connection.
- Next.js: 15.0.0 - 15.0.3, and Canary builds
14.3.0-canary.77+. - React: 19.0.0, 19.1.0 (specifically
react-server-dom-*packages).
Ensure you have Go installed.
- Clone or Download the
exploit.gofile. - Run directly:
go run exploit.go
- (Optional) Build binary:
go build -o react_rce exploit.go ./react_rce
The tool features two modes: an Interactive Wizard for ease of use, and CLI Flags for scripting/automation.
Simply run the tool without arguments. It will guide you through target selection, payload choice, and listener setup.
go run exploit.go