React2Shell (CVE-2025-55182) Exploit

Exploit for the critical RCE vulnerability in React Server Components, with WAF bypass.

Requirements

• Python
• requests library

python -m venv .venv
source .venv/bin/activate
pip install requests

Usage

Basic exploit

python exploit.py http://localhost:3000 -c "id"

Detection only (no code execution)

python exploit.py http://localhost:3000 -d

WAF bypass with UTF-16LE charset

python exploit.py http://localhost:3000 -c "id" --utf16le

WAF bypass with junk data padding

python exploit.py http://localhost:3000 -c "id" --junk 128

Combined WAF bypass (both techniques)

python exploit.py http://localhost:3000 -c "id" --utf16le --junk 128

Options

Note: Charset options are mutually exclusive.

How it works

The vulnerability exists in React's Flight protocol deserialization. The exploit:

1. Sends a crafted multipart POST request with Next-Action header
2. Uses prototype pollution via $1:__proto__:then to access Chunk.prototype.then
3. When React resolves the fake Promise, it calls the attacker-controlled then method
4. The then method uses $1:constructor:constructor to get the Function constructor
5. Arbitrary JavaScript executes via child_process.execSync()

WAF bypass techniques

Charset Mismatch Techniques

All charset techniques work by declaring one charset in Content-Type but sending the body as UTF-8. WAFs that try to decode according to the declared charset get garbage and fail pattern matching, while the server ignores charset and processes correctly.

UTF-16LE (--utf16le): Declares UTF-16LE (2 bytes per char). Credit: nav1n0x.

UTF-16BE (--utf16be): Big-endian variant of UTF-16.

UTF-7 (--utf7): Declares UTF-7, a base64-like ASCII-safe encoding. Some WAFs may skip bodies with this charset.

UTF-32 (--utf32): Declares UTF-32 (4 bytes per char). Pattern matching for __proto__ completely fails.

IBM037/EBCDIC (--ibm037): Declares IBM037, a completely different character mapping used on IBM mainframes. WAFs typically can't decode this. Based on ModSecurity CRS issue #1137.

ISO-2022-JP (--iso2022jp): Japanese charset using escape sequences. WAFs may not understand escape sequence state machines.

Double charset (--double-charset): Sends charset=utf-8;charset=utf-7. WAF may read first charset while parser uses second. Based on CRS bypass research.

Other Techniques

Junk data padding (--junk): Prepends random data (default 128KB) to push payload past WAF inspection limits (Cloudflare: 8KB, Akamai: 16KB).

Boundary obfuscation (--boundary): Randomized multipart boundary that some WAFs may not parse correctly.

Header case variation (--case): Random case in headers (e.g., cOnTeNt-DiSpOsItIoN). HTTP headers are case-insensitive but some WAFs aren't.

Disposition variation (--disposition): Extra whitespace in Content-Disposition that strict WAF regexes may miss.

Parameter pollution (--pollution): Dummy form fields to overflow WAF parameter limits.

Chunked encoding (--chunked, experimental): Split body into chunks. Some WAFs can't reassemble.

CRLF variation (--crlf, experimental): LF-only line endings instead of CRLF.

Affected versions

• React: 19.0.0, 19.1.0, 19.1.1, 19.2.0
• Next.js: 15.0.0-15.0.4, 16.0.0-16.0.6

Patched versions

• React: 19.0.1, 19.1.2, 19.2.1+
• Next.js: 15.0.5+, 16.0.7+

Testing locally

A vulnerable Next.js app is included in vuln-app/:

cd vuln-app
npm install
npm run build
npm run start

Then in another terminal:

python exploit.py http://localhost:3000 -c "whoami"

Disclaimer

For authorized security testing only. Do not use against systems without explicit permission.