This indicator confirms that the application is returning React Flight responses, meaning that the server processes serialized component data.<\/p>\n\n\n\n
Crafting a Malicious React Payload
<\/h2>\n\n\n\n
Once the presence of React Server Components was confirmed, the next step was to craft a malicious HTTP request targeting the server\u2019s component deserialization process.<\/p>\n\n\n\n
The request sends a specially crafted multipart payload that abuses the React serialization mechanism and invokes the Node.js runtime.<\/p>\n\n\n\n
Example HTTP request:<\/p>\n\n\n\n The injected payload executes the following Node.js code:<\/p>\n\n\n\n This command forces the server to execute the operating system id command.<\/p>\n\n\n\n When the malicious payload is successfully processed, the server executes the injected command and returns the output encoded in Base64 within the response header.<\/p>\n\n\n\n An example response header is shown below:.<\/p>\n\n\n\n Decoding the Base64 value reveals the output of the executed command:<\/p>\n\n\n\n This confirms that the injected command was successfully executed on the server. The figure below illustrates the full HTTP request and response demonstrating successful remote command execution.<\/p>\n\n\n\n To further demonstrate the impact, the payload was modified to retrieve the contents of sensitive system files. The following command was executed:<\/p>\n\n\n\n The server returned the contents of the file, confirming that arbitrary file access is possible through the vulnerability.<\/p>\n\n\n\n Successful exploitation allows attackers to:<\/p>\n\n\n\n Because this vulnerability requires no authentication, it represents a severe risk to exposed React Server Component applications.<\/p>\n\n\n\n Developers should immediately take the following actions:<\/p>\n\n\n\n Upgrade React and related packages to patched versions:<\/p>\n\n\n\n React 19.0.1 Ensure that React Server Component endpoints are not directly accessible from external clients.<\/p>\n\n\n\n Reject malformed React Flight payloads and enforce strict schema validation.<\/p>\n\n\n\n Monitor logs for suspicious multipart requests or unusual React Flight payload structures.<\/p>\n\n\n\n React2Shell highlights an important lesson: modern frameworks introduce new attack surfaces that traditional security testing may miss.<\/p>\n\n\n\n With the increasing adoption of server-side rendering frameworks, understanding the internals of protocols such as React Flight is becoming essential for security professionals.<\/p>\n\n\n\n If your organization runs React Server Components, patching this vulnerability should be treated as an immediate priority.<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Modern web applications increasingly rely on frameworks such as React and Next.js to build dynamic user interfaces. While these frameworks provide powerful features for developers, they also introduce new attack surfaces that security professionals must understand. One of the most critical vulnerabilities discovered in recent years is React2Shell, tracked as CVE-2025-55182. This vulnerability affects React … <\/p>\n![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2026\/03\/SampleRCERequest.png\")
<\/figure>\n\n\n\nprocess.mainModule.require('child_process').execSync('id')<\/pre>\n\n\n\nVerifying Command Execution<\/h2>\n\n\n\n
X-Action-Redirect: \/login?a=dWlkPTEwMSBnaWQ9MChyb290KSBncm91cHM9MChyb290KSwxMDEK;push<\/pre>\n\n\n\n
uid=101 gid=0(root) groups=0(root),101<\/pre>\n\n\n\n
![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2026\/03\/Burp_RCE1.png\")
<\/figure>\n\n\n\nAccessing Sensitive Files<\/h2>\n\n\n\n
cat \/etc\/passwd<\/pre>\n\n\n\n
![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2026\/03\/Burp_RCE2.png\")
<\/figure>\n\n\n\nImpact<\/h2>\n\n\n\n
\n
Mitigation<\/h2>\n\n\n\n
\n
React 19.1.2
React 19.2.1<\/p>\n\n\n\n\n
\n
\n
Final Thoughts<\/h2>\n\n\n\n