Skip to content

MikeTheHash/CVE-2025-55182

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 
exploit.py
exploit.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

CVE-2025-55182 - React2Shell

A modified and boosted exploit for CVE-2025-55182 a pre-authentication Remote Code Execution in React Server version 19.0, 19.1.0, 19.1.1, and 19.2.0

The vulnerability spans the following:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Patch

Using the chunk references to retrieve prototype properties is fixed with this check:

@@ -78,7 +80,10 @@ export function preloadModule<T>(
 
 export function requireModule<T>(metadata: ClientReference<T>): T {
   const moduleExports = parcelRequire(metadata[ID]);
-  return moduleExports[metadata[NAME]];
+  if (hasOwnProperty.call(moduleExports, metadata[NAME])) {
+    return moduleExports[metadata[NAME]];
+  }
+  return (undefined: any);
 }

Credits

Author: msanft - https://github.com/msanft/CVE-2025-55182

Date: 05/12/2025 - DD/MM/YY

Editor: MikeTheHash

Edit Date: 07/12/2025 - DD/MM/YY

Disclaimer: This content was published for educational purpose only

Use it at your own risk. I assume no liability for any misuse, damage, or legal consequences resulting from its use

Related

https://github.com/msanft/CVE-2025-55182/

https://x.com/maple3142

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

About

A modified and a little boosted exploit for CVE-2025-55182, React2Shell: Pre-authentication Remote Code Execution in React Server Packages

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages