Skip to content

Tiger-Foxx/exploit-react-CVE-2025-55182

BranchesTags

Repository files navigation

FOX-RSC TOOL

CVE-2025-55182 & CVE-2025-66478

Fox Logo

Version Author Severity

LEGAL DISCLAIMER

EN: This tool is a Proof of Concept (PoC) intended for security research and educational purposes only. Using this tool on systems without explicit permission is illegal and punishable by law. The author (Tiger-Foxx) assumes no responsibility for misuse.

FR: Cet outil est une Preuve de Concept (PoC) destinée uniquement à la recherche en sécurité et à des fins éducatives. L'utilisation de cet outil sur des systèmes sans autorisation explicite est illégale.

DESCRIPTION

Fox-RSC Tool is a specialized browser extension and toolkit designed to detect and demonstrate the critical CVE-2025-55182 (React2Shell) vulnerability affecting React Server Components (RSC).

This toolkit provides a comprehensive suite for security researchers to identify vulnerable endpoints and verify the Remote Code Execution (RCE) vector in a controlled environment.

TECHNICAL ANALYSIS: CVE-2025-55182 (React2Shell)

Vulnerability Class: Insecure Deserialization / Remote Code Execution CVSS Score: 10.0 (Critical) Disclosure Date: December 3, 2025

Overview

Also known as React2Shell, this critical vulnerability affects the Flight protocol used by React Server Components (RSC), specifically within the
eact-server\ package. It allows for unauthenticated Remote Code Execution (RCE) with a CVSS score of 10.0.

Mechanism

The vulnerability stems from insecure deserialization of RSC payloads.

  1. Injection: An attacker crafts a malicious HTTP request containing a specific payload.
  2. Deserialization: When the server processes this request using the Flight protocol, it fails to properly validate the input.
  3. Execution: The deserialization process triggers the execution of arbitrary, privileged JavaScript code within the server's context.

Exploitability & Impact

  • High Reliability: The exploit has a success rate nearing 100% in testing environments.
  • Unauthenticated: No user credentials are required to trigger the RCE.
  • Wild Exploitation: The CISA has added this to its Known Exploited Vulnerabilities (KEV) catalog. Active exploitation has been observed since December 5, 2025, involving threat actors targeting cloud credentials and deploying crypto-miners (e.g., XMRig).

Prerequisites for Exploitation

  • The target application must utilize React Server Components (RSC) on the server side (e.g., Next.js in default production mode).
  • Note: Even if the application does not explicitly define Server Functions endpoints, it remains vulnerable if RSC support is enabled.
  • Attack Vector: Any exposed endpoint handled by the RSC server can be targeted with a specially crafted HTTP request. It functions on standard configurations without requiring code modifications.

Affected Versions

  • React: 19.0, 19.1.0, 19.1.1, 19.2.0
  • Next.js: Versions 14.3.0-canary.77+, 15.x, 16.x
  • Other Frameworks: React Router, Vite (RSC plugin), Parcel (RSC plugin), Waku.

Note: Pure client-side applications (SPA) or those without RSC support are not affected.

FEATURES

1. Chrome Extension (Premium Dark Theme)

  • Passive Detection: Automatically analyzes HTTP headers (e.g.,
    sc,
    ext-router-state-tree) and DOM elements to identify Next.js/RSC applications.
  • Active Fingerprinting: Sends lightweight, non-destructive probes to confirm the presence of the Flight protocol.
  • RCE Exploit Terminal: A built-in terminal interface to test command execution (e.g., \whoami, \ls -la) on authorized targets.

Extension Interface
Fox-RSC Tool extension popup showing the main interface with detection and exploit sections.

Command Templates
Built-in command templates for testing RCE (whoami, pwd, etc.) in the exploit section.

2. Proxy Server (\extension_proxy.py)

  • A Python-based middleware to bypass CORS (Cross-Origin Resource Sharing) restrictions, enabling the extension to communicate with remote targets during testing.

3. Shodan Scanner (\shodan_scanner.py)

  • Automated reconnaissance script utilizing the Shodan API to identify potentially vulnerable hosts exposed to the public internet.

INSTALLATION

Browser Extension

  1. Navigate to \chrome://extensions/\ in your Chromium-based browser.
  2. Enable Developer mode.
  3. Click Load unpacked.
  4. Select the \�xtension/\ directory from this repository.
  5. The Fox-RSC Tool icon will appear in your browser toolbar.

Browser Extension in Toolbar
Fox-RSC Tool icon visible in the browser toolbar after installation.

Proxy Server (Recommended)

To ensure reliable exploitation testing without CORS interference: \\�ash python extension_proxy.py \
The server will listen on port \8765.

Shodan Scanner

Requires a valid Shodan API key. \\�ash pip install shodan requests tqdm python shodan_scanner.py \\

Shodan Scanner Results
Shodan scanner output displaying vulnerable hosts and scan results.

MITIGATION

Immediate patching is required for all affected systems.

  • React: Update to version 19.0.1, 19.1.2, 19.2.1 or later.
  • Next.js: Update to the latest stable release.
  • Hosting Providers: Some providers have applied temporary mitigations, but code-level updates are mandatory.

CREDITS

Developed by Tiger-Foxx Original Design & Research

Stay Safe, Stay Secure.

About

This tool is a Proof of Concept (PoC) intended for security research and educational purposes only. Using this tool on systems without explicit permission is illegal and punishable by law. The author (Tiger-Foxx) assumes no responsibility for misuse.

site.the-fox.tech

Topics

exploit poc vulnerability react-server-component cve-2025-55182 react2shell

Resources

Readme
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages