A Deep And Very Technical Analysis of CVE-2025-55182 (React2...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://i0.rs/blog/a-deep-and-very-technical-analysis-of-cve-2025-55182-react2-shell/
• Blog Title: A Deep And Very Technical Analysis of CVE-2025-55182 (React2Shell)
• Suggested Section: Pentesting Web -> Deserialization (or a new dedicated page such as "React Flight / RSC Deserialization RCE" linked from Web Vulnerabilities Methodology and/or Deserialization)

🎯 Content Summary

This post provides a deep, step‑by‑step technical analysis of CVE‑2025‑55182 (React2Shell), a CVSS 10.0 unauthenticated remote code execution vulnerability in the React Server Components (RSC) Flight protocol, as implemented in React 19.x and meta‑frameworks such as Next.js, React Router, Waku, and @vitejs/plugin-rsc. It starts by explaining React’s history (state, Virtual DOM, bundling), then how meta‑frameworks introduced server‑side rendering (SSR), and finally how RSC and the Flight proto...

🔧 Technical Details

1. Abusing Flight’s reference syntax for prototype traversal and RCE
The core trick is to exploit React Flight’s reference grammar, where serialized strings beginning with $ are resolved by parseModelString, and : acts as a property accessor. Attackers craft chunk values like "$1:__proto__:constructor:constructor" so that $1 resolves to a base object (e.g., from chunk 1) and __proto__ → constructor → constructor walks the JavaScript prototype chain until it recovers the global Function constructor. Once a Function constructor is available, serialized payloads can evaluate arbitrary JavaScript such as Function("return process")() and then call process.mainModule.require('child_process').execSync('id') or similar, turning a data‑only Flight stream into remote code execution in the Node.js process.

2. Chaining Promise...

🤖 Agent Actions

Summary:

• Restored and expanded NextJS documentation with a full technical breakdown of the React Server Components Flight protocol stream format, showing how attackers craft multipart chunk maps, use $ references, and bypass middleware to reach the react-server deserializer.
• Added an explicit parseModelString prefix table, prototype-chain traversal example, promise/hex chunk gadget discussion, and the resulting Function() RCE primitive derived from the React2Shell research.
• Documented a practical instrumentation workflow (local file-based React builds, VSCode breakpoints, PoC modification) so testers can single-step through chunk resolution, plus updated the references with the deep-dive source.

Testing: Not run (not applicable).

Files Modified:

• src/network-services-pentesting/pentesting-web/nextjs.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://i0.rs/blog/a-deep-and-very-technical-analysis-of-cve-2025-55182-react2-shell/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Deserialization (or a new dedicated page such as "React Flight / RSC Deserialization RCE" linked from Web Vulnerabilities Methodology and/or Deserialization)".

Repository Maintenance:

• MD Files Formatting: 920 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0