CVE-2025-55182 – React2Shell: Proof-of-Concept Remote Code Execution (RCE) exploit for Next.js apps. Features an interactive shell prompt to test and demonstrate the vulnerability in real time. Use for security research and authorized penetration-testing only.

React2Shell vulnerability (CVE-2025-55182 / CVE-2025-66478)

Scanner for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) - Track and remediate a critical React Server Components (RSC) / Flight protocol vulnerability campaign impacting react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, and RSC-enabled frameworks like Next.js.

React2Shell vulnerability (CVE-2025-55182 / CVE-2025-66478) Full Script

A modern, user-friendly GUI application for detecting and exploiting the CVE-2025-55182 vulnerability in React Server Components. Built with Python and Tkinter, featuring a sleek neon-themed interface for scanning targets, executing shell commands, and viewing live console output.

React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, contain a remote code execution vulnerability.

This repository documents research into deserialization behavior within Next.js React Server Components (RSC) using the Flight protocol. It focuses on how malformed multipart bodies combined with Server Action request handling can lead to prototype traversal and execution primitives on certain builds.

CVE-2025-55182 React2Shell PoC - Critical RCE in React Server Components / Next.js. CVSS 10.0. Error-based exfil, reverse shell, interactive mode.