This POC is not realistic and doesn't work against production builds of Next.js. It requires explicit exposure of gadgets by the user (eg. vm.runInContext) so is invalid as noted on https://react2shell.com

I will believe it works when it is demonstrated against a create-next-app project.

The guy who discovered the actual vulnerability says otherwise.

Delete this distraction to genuine blue teamers and stop shitting up the information landscape with this utter hogwash.

This is why infosec is dead.

https://react2shell.com/

https://github.com/ejpir/CVE-2025-55182-poc/issues/1#issueco...