React2Shell is a security research tool designed for authorized penetration testing and educational purposes only. This tool exploits CVE-2025-55182, a critical vulnerability in React Server Components.
Before using this tool, you MUST:
- Have explicit written authorization from the system owner
- Understand the legal implications in your jurisdiction
- Use only in controlled environments (like the included lab) for learning
- Never target production systems without proper authorization
If you find a security vulnerability in React2Shell itself (not the CVE it exploits), please:
- Do NOT open a public issue
- Email the maintainer directly with details
- Allow reasonable time for a fix before public disclosure
CVE-2025-55182 has been patched. If you discover new vulnerabilities:
- React: https://github.com/facebook/react/security/advisories
- Next.js: https://github.com/vercel/next.js/security/advisories
- Vercel: https://vercel.com/security
Unauthorized access to computer systems is illegal. This tool is provided for:
- Authorized penetration testing engagements
- Security research with proper authorization
- CTF competitions and security training
- Testing your own systems
The authors are not responsible for any misuse or damage caused by this tool. Users assume all legal responsibility for their actions.
| Package | Vulnerable | Patched |
|---|---|---|
| React | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1+ |
| Next.js | 13.x-15.x (various) | 14.2.35, 15.1.4, 15.4.8+ |
| react-server-dom-webpack | 19.0.0-19.2.0 | 19.2.1+ |