Back to all videos

React.js shell shocked by 10.0 critical vulnerability…

By Fireship

Cybersecurity VulnerabilitiesJavaScript FrameworksWeb Application SecuritySoftware Development
Share:

Key Concepts

  • React 2 Shell (CVE-2025-55182): A critical remote code execution vulnerability in React’s server component Flight protocol.
  • React Flight Protocol: The mechanism used by React server components to serialize and transfer data between the server and client.
  • Deserialization Vulnerability: A flaw where untrusted data is deserialized, leading to potential code execution.
  • Server Components: React components that run on the server, improving performance and SEO.
  • Remote Code Execution (RCE): An attack where an attacker can execute arbitrary code on a target system.

React 2 Shell: A Critical Vulnerability in ReactJS

This report details a critical vulnerability, dubbed “React 2 Shell” (CVE-2025-55182), discovered in the ReactJS framework, specifically within its server component Flight protocol implementation. The vulnerability is assessed as a 10.0 on the CVSS scale, indicating maximum severity. Its impact is significant due to the widespread use of React and related frameworks like Next.js.

The Severity and Scope of the Problem

The vulnerability allows attackers to achieve remote code execution (RCE) without authentication, directly from an HTTP request. This means an attacker can gain shell access to a server simply by sending a crafted request, bypassing typical security measures. Estimates suggest over 2 million servers are currently vulnerable, with active scanning and exploitation attempts already underway, particularly by Chinese hacking groups as observed by Amazon. The comparison to Log4Shell (CVE-2021-44228) is drawn, highlighting the potential for widespread disruption and significant economic impact.

Understanding the React Flight Protocol

The core of the vulnerability lies within the React Flight protocol. This protocol functions as a blueprint for server components, facilitating the transfer of data from the server to the client browser. The process mirrors a physical construction workflow: components are pre-fabricated on the server (like parts of a shed built in a factory), serialized for network transmission (loaded onto a truck), and then rendered in the browser (assembled at the build location).

The Root Cause: Deserialization of Untrusted Input

The vulnerability stems from a classic deserialization flaw. React incorrectly deserializes untrusted input without proper validation, treating it as if it originated from a trusted source. This allows attackers to construct malicious “flight payloads” that, when deserialized, create unexpected object graphs. These manipulated object graphs can then be used to indirectly call dangerous APIs or execute arbitrary code on the server.

Specifically, attackers can craft requests that exploit this deserialization process to manipulate the runtime environment, ultimately leading to RCE. The vulnerability doesn’t require any login or session hijacking; a single, poisoned request is sufficient. The result can be a compromised server repurposed for malicious activities, such as cryptomining.

Identifying Vulnerable Systems

Developers can determine if their systems are vulnerable by running a command to check for the presence of affected server component packages and their versions. The transcript implies that using vulnerable versions is akin to installing malware and potentially requiring ransom payment to regain control of a website.

Mitigation and Tools

The primary mitigation is to update to a patched version of React. The video promotes GenSpark, an AI-powered workspace, as a tool to assist developers in quickly updating and securing their codebases. GenSpark orchestrates multiple AI models to automate tasks, including code analysis and remediation, and offers a browser-based development environment for building and deploying web applications.

Logical Connections and Synthesis

The report establishes a clear connection between the React Flight protocol, the deserialization vulnerability, and the potential for RCE. It draws a parallel to the Log4Shell vulnerability to emphasize the severity and potential impact. The presentation moves logically from identifying the problem, explaining its technical underpinnings, outlining the scope of the threat, and finally, suggesting a mitigation strategy.

The main takeaway is the urgent need for React developers to assess their systems for vulnerability and apply necessary updates to prevent exploitation. The vulnerability underscores the importance of secure deserialization practices and the potential risks associated with complex frameworks like React.

Notable Quote

“You might remember log for shell back in 2021… Well, in 2025, log for shell has a new sister called React 2 shell.” – This quote emphasizes the severity of the new vulnerability by drawing a direct comparison to the widely publicized Log4Shell exploit.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "React.js shell shocked by 10.0 critical vulnerability…". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video