██████ ███████ █████ ██████ ████████ ██████ ███████ ██ ██ ███████ ██ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ █████ ███████ ██ ██ █████ ███████ ███████ █████ ██ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██████ ██ ███████ ███████ ██ ██ ███████ ███████ ███████
█ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
█ █ █ █ █ █ █ █ █ █ █ █ █
█ █ █ █ █
Proof-of-concept exploit scanner for CVE-2025-55182
When a critical zero-day affects widespread architecture, quickly determining exposure within massive attack surfaces is extremely difficult. I built React2Shell to automate the discovery and safe exploitation of CVE-2025-55182 (React Server Components RCE). It enables security researchers to definitively test targets simply and silently.
Written strictly in Python using high-concurrency request engineering, React2Shell processes multiple target strings systematically. It parses local files and standardizes schemas. Rather than complex UI, it runs an interactive shell or executes chained commands (like `whoami`, `cat /etc/passwd`, and `ls -la /var/www`) by leveraging specific serialization bypass payloads unique to the vulnerability.
The major technical obstacle was minimizing the noise and network traffic generated during multi-target scanning across hundreds of domains. I implemented a strict silent-failure model and dynamic payload injection. Instead of outputting 404s and normal errors, the script simply shows an initialization spinner and only returns a console block when an active, working shell returns a positive validation of the underlying RCE vulnerability.