Case Study: Pre-Authentication RCE in KoaCook Order Online System (CVE-2025-55182)
Executive Summary While performing a white-box security audit of a legacy internal application, I identified a critical, pre-authentication Remote Code Execution (RCE) vulnerability stemming from the unsafe deserialization of payloads within the React Server Components (RSC) transport protocol, commonly referred to as the Flight protocol. This vulnerability is tracked as CVE-2025-55182, colloquially known as React2Shell. I have responsibly disclosed the finding and patched the application by upgrading the vulnerable dependencies (react, react-dom, and next). This post details the technical mechanics of the exploit, provides a sanitized Proof of Concept (PoC), and illustrates the remediation path. ...