CVE-2025-55182 & CVE-2025-66478 React2Shell – All You Need t...#1653
Merged
carlospolop merged 2 commits intomasterfrom Dec 16, 2025
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://jfrog.com/blog/2025-55182-and-2025-66478-react2shell-all-you-need-to-know/ Content Categories: Based on the analysis, this content was categorized under "network-services-pentesting/pentesting-web/nextjs (or a new subsection under Pentesting Web -> NextJS focused on React Server Components/Functions RCE and react2shell-scanner style detection oracles)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Collaborator
Author
|
merge |
carlospolop
deleted the
update_CVE-2025-55182___CVE-2025-66478_React2Shell___All__20251209_020825
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
This post provides a focused technical overview of the critical React/Next.js remote code execution vulnerability known as React2Shell, tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). The core problem lies in the implementation of React Server Components (RSC) and in particular React Server Functions (RSF): a remote attacker can craft a malicious HTTP request to any React Server Function endpoint which, when deserialized by the vulnerable RSC...
🔧 Technical Details
Exploiting React Server Functions via crafted RSC HTTP payloads
React2Shell shows that any HTTP endpoint backed by a React Server Function (a function containing the
'use server';directive) becomes an attack surface for the React Server Components (RSC) wire protocol. An attacker does not rely on normal browser form submissions; instead, they manually craft HTTP requests that follow (or abuse) the RSC serialization format and send them directly to these server-function endpoints. In vulnerable RSC implementations, the deserialization process mishandles this untrusted serialized data and can lead to arbitrary code execution on the server. The practical trick for attackers is to first identify RSF endpoints (e.g., by discovering routes of frameworks like Next.js App Router that useappdirectory server components) and then deliver specialized RSC-formatted payloads as part of POST requests. Although this article does not disclose the low-level RSC...🤖 Agent Actions
Updated
src/network-services-pentesting/pentesting-web/nextjs.mdwith a comprehensive React2Shell-focused section:'use server';, App Router fingerprints, and other RSC-enabled frameworks.react-server-dom-*packages and Next.js releases, plus canary downgrade advice.react2shell-scanner, including the HTTP 500 +E{"digest"oracle and example commands.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.