A little late to the party, but I spent some time analyzing the React2Shell vulnerability (CVE-2025-55182) that shook the React ecosystem last month. Here's my deep-dive into what happened, how it worked, and what we can learn from it.
π΄ TL;DR
- Vulnerability: CVE-2025-55182 (React2Shell)
- Severity: 10.0 CVSS Critical
- Attack Vector: Prototype pollution β Remote Code Execution
- Affected: React Server Components (RSC) - Next.js, Remix, Cloudflare Workers, and more
- Status: Patched (React 19.0.0+ and 18.3.1+)
π― What Went Wrong?
React Server Components introduced a custom serialization protocol called React Flight to send component data from server to client. The vulnerability existed in how this protocol deserialized data:
- Attackers could pollute
Object.prototype.then - React's deserialization logic checked for
.thento detect Promises - Polluted prototype caused arbitrary code execution on the server
- Single crafted HTTP request = full RCE
π What I Cover in the Article
- React terminology breakdown (React, RSC, React Flight Protocol)
- Technical mechanics of the prototype pollution exploit
- POC analysis (without providing ready-to-use exploits)
- Ecosystem impact - how this affected major frameworks and platforms
- Timeline of discovery, disclosure, and patching
- Lessons learned for JavaScript security
π Read the Full Analysis
I documented everything in detail on my blog:
π React2Shell Aftermath - Full Technical Analysis
π‘ Key Takeaways
- Prototype pollution is still dangerous - Even modern frameworks can be vulnerable
- Serialization is a critical attack surface - Especially in SSR/RSC contexts
-
Type checking via prototype chain is risky - Using
typeof obj.then === 'function'to detect Promises can be exploited - Defense in depth matters - Single validation points create single points of failure
π€ Discussion
I'd love to hear your thoughts! Do you have any other prototype pollution war stories to share?
Drop your comments below! π
Top comments (0)