Skip to content
/ react2shell-vulnlab Public

A modern Next.js vulnerable web app themed as a news / blog portal for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) to learn, detect, and safely exercise React2Shell. Runs unpatched React 19.0.0 and Next.js 15.0.3.

Hiddeninvestigations.Net

License

Apache-2.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hidden-investigations/react2shell-vulnlab

BranchesTags

Repository files navigation

React2Shell Tribune — VULNERABLE WEB APPLICATION LAB

logo

A modern Next.js web app themed as a news / blog portal for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) to learn, detect, and safely exercise React2Shell. Runs unpatched React 19.0.0 and Next.js 15.0.3.

Overview

  • Fictional news portal built with Next.js App Router and Server Actions.
  • Default configuration, no custom dangerous code, intentionally left unpatched.
  • Designed to study insecure deserialization in the RSC “Flight” protocol and to practice detection/mitigation.

Quick start (Docker recommended)

# 1. Start the lab
docker-compose up -d

# 2. Open the app
http://localhost:3000

# 3. Stop when done
docker-compose down

Manual setup and dev mode

Production-like manual run:

npm install --legacy-peer-deps
npm run build
npm start
# Visit http://localhost:3000

Development with hot reload:

npm install --legacy-peer-deps
npm run dev

Notes:

  • Always use --legacy-peer-deps because of intentional version pinning.
  • If port 3000 is busy, change the mapping in docker-compose.yml (e.g., 3001:3000) or export PORT before starting.

Quick operational status

  • Container: hi-react2shell-tribune
  • Port: 3000 (expects HTTP 200 OK)
  • Vulnerable versions: React 19.0.0, Next.js 15.0.3

Helpful commands:

docker-compose ps
docker-compose logs -f hi-react2shell-tribune
docker-compose restart
docker-compose build --no-cache && docker-compose up -d

Vulnerability summary (React2Shell)

  • CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) allow unauthenticated RCE via insecure deserialization in RSC.

Relevant affected versions:

  • React: 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • Next.js: >=14.3.0-canary.77, all 15.x, 16.x unpatched

Exploitation reality

  • No publicly known RCE exploit for a default app; react2shell.com says “Watch this space.”
  • PoCs that manually expose child_process, vm, or fs are not representative.

References

License

This project is licensed under the Apache License 2.0. See LICENSE for details.

Credits

📬 Contact us: [email protected]

About

A modern Next.js vulnerable web app themed as a news / blog portal for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) to learn, detect, and safely exercise React2Shell. Runs unpatched React 19.0.0 and Next.js 15.0.3.

Hiddeninvestigations.Net

Topics

vulnerable-web-application ctf-labs cve-2025-55182 react2shell

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages