Share
## https://sploitus.com/exploit?id=E68D082F-3785-5828-963A-845516BFAE1F
# React2Shell (CVE-2025-55182) Visualization

An interactive educational visualization explaining React Server Components, the Flight Protocol, and the critical React2Shell RCE vulnerability.

## Overview

This project provides a step-by-step visual guide to understanding:

1. **Traditional SSR** - How classic server-side rendering works with JSON data hydration
2. **RSC Streaming** - React Server Components and the Flight Protocol's streaming architecture
3. **The Exploit** - How CVE-2025-55182 enables Remote Code Execution through malicious Flight payloads
4. **The Fix** - What changes were made to patch the vulnerability
5. **Lessons Learned** - Key takeaways for secure application development

## What is React2Shell?

React2Shell (CVE-2025-55182) is a critical vulnerability in React's Flight Protocol that allowed attackers to achieve Remote Code Execution (RCE) on servers running React Server Components. The vulnerability existed in how the Flight Protocol deserialized data, allowing specially crafted payloads to execute arbitrary code.

## Live Demo

Visit the [GitHub Pages deployment](https://volksrat71.github.io/react2shellexploitvisualized/) to explore the visualization.

## Running Locally

```bash
# Using any static file server
npx serve .

# Or Python
python -m http.server 8000

# Or PHP
php -S localhost:8000
```

Then open `http://localhost:8000` in your browser.

## Educational Purpose

This visualization is intended purely for educational purposes to help developers understand:

- How modern React rendering architectures work
- Why serialization/deserialization is a critical security boundary
- How supply chain and framework-level vulnerabilities can have widespread impact
- The importance of input validation and secure defaults

## Resources

- [Original Security Advisory](https://github.com/facebook/react/security/advisories)
- [React Server Components Documentation](https://react.dev/reference/rsc/server-components)
- [Flight Protocol Internals](https://github.com/facebook/react/tree/main/packages/react-server)

## License

MIT