🔥React2Shell - CVE-2025-55182 / CVE-2025-66478 Proof of Concept

Critical Security Vulnerability Demo - CVSS 10.0 - Remote Code Execution in React Server Components

⚠️DISCLAIMER

FOR EDUCATIONAL PURPOSES ONLY!
This repository demonstrates a critical security vulnerability.
Never use on production systems or exposed networks.

🚨Vulnerability Details

• CVE ID: CVE-2025-55182 (React) / CVE-2025-66478 (Next.js)
• CVSS Score: 10.0 (CRITICAL)
• Affected: Next.js 15.0.0 with React Server Components
• Vulnerability: Remote Code Execution via RSC protocol
• Fixed in: next@15.0.5, next@15.1.9, next@16.0.7

🐳 Docker Hub

https://hub.docker.com/r/ihsansencan/react2shell

# Pull and run directly
docker run -p 3000:3000 ihsansencan/react2shell:latest

# CVE
docker run -p 3000:3000 ihsansencan/react2shell:cve-2025-55182
docker run -p 3000:3000 ihsansencan/react2shell:cve-2025-66478

# Versioned
docker run -p 3000:3000 ihsansencan/react2shell:v1.0

🛠️Quick Start

# 1. Build the vulnerable container
docker build -t cve-2025-55182-poc .

# 2. Run the demo
docker run -p 3000:3000 --name react2shell cve-2025-55182-poc

# 3. Open browser
# http://localhost:3000

🔧 Features

• Modern UI pretending to be a "code playground"
• Interactive RCE interface
• Multiple payload examples
• Real-time execution results
• Educational exploit demonstration

🛡️ Security Impact

The vulnerability allows:

• Remote command execution as root
• Filesystem access
• Network reconnaissance
• Potential container escape
• Full system compromise

📁 Project Structure

/react2shell
├── Dockerfile
├── package.json
├── next.config.js
├── app/
│   ├── actions.js
│   ├── layout.js
│   ├── page.js
│   └── api/
│       └── command/
│           └── route.js
├── README.md
├── LICENSE
└── img/
    ├── 1.png
    ├── 2.png
    └── 3.png

🚀 Demo Screenshot

🔒 Patching

# IMMEDIATE FIX
npm install next@15.0.5 react@18.2.0 react-dom@18.2.0

Happy Coding! 💻

Made with ❤️ by Ihsan Sencan

⭐ Star this repo if you find it useful! ⭐