Author: Kavienan J
Vulnerability discovered by: lachlan2k, who responsibly disclosed it to the React team.
For updates on this vulnerability, visit: react2shell.com
- Introduction
- Background
- Understanding
ReactFlightReplyServer.js - Crafting the First Payload
- The Fake Chunk
- All Under Control
- The Exploit
- The Fix
CVE-2025-55182 is rated 10.0/10.0 in severity. If you've looked at the public PoCs, you may have noticed that while they show the exploit working, the explanations for why the payload looks the way it does can feel insufficient—which makes perfect sense given how complicated the React Flight Protocol is. Flight, the serialization layer behind React Server Components and Server Actions, is an intricate 1,100+ line state machine, and its behavior isn't intuitive unless you trace the code yourself.
The community PoCs demonstrate the vulnerability clearly:
- https://github.com/msanft/CVE-2025-55182
- https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
- https://x.com/rauchg/status/1997362942929440937
…but when you try to answer "Why does this work?", you quickly find yourself spelunking deep into React internals that were never meant to be read line by line.
Note: Many PoCs incorrectly attribute the fix to changes in
requireModule. As we'll see in The Fix, the exploit payload never reaches that function—the actual vulnerable code resides entirely inReactFlightReplyServer.js.
This write-up is my attempt to reverse-engineer the exploit chain by tracing React's decoding and chunk-initialization logic step by step. Every behavior discussed here comes directly from how ReactFlightReplyServer.js worked before the fix (reference: https://github.com/facebook/react/blob/v19.2.0/packages/react-server/src/ReactFlightReplyServer.js), distilled and simplified so that a React/JS developer can follow along with enough patience.
Next Section: Background
