The React2Shell Story
11 hours ago
- #Web Development
- #React
- #Security
- Reported critical RCE vulnerability (React2Shell) to Meta on Nov 30, 2025, fixed on Dec 3, 2025 (CVE-2025-55182).
- Initial goal was to understand React's Flight protocol for hacking modern web apps, leading to discovery of a vulnerability affecting millions of websites.
- Flight protocol enables complex data transmission (e.g., references, Promises) but had a security flaw allowing property inheritance abuse.
- Weaponized Flight to exploit insecure code in Next.js apps, such as type coercion and explicit function calls due to lack of runtime type validation.
- Key breakthrough involved abusing 'thenables' in Flight, chaining function calls to access React's internals and achieve RCE.
- Exploit chain manipulated React's Chunk objects to execute arbitrary code via Module._load in Node.js, leading to a refined RCE proof-of-concept.
- Meta and React teams responded quickly, developing patches and coordinating industry-wide defenses before public disclosure.