Skip to content

kavienanj/CVE-2025-55182

Repository files navigation

React2Shell: CVE-2025-55182 Walkthrough

Author: Kavienan J

Vulnerability discovered by: lachlan2k, who responsibly disclosed it to the React team.

For updates on this vulnerability, visit: react2shell.com

Table of Contents

  1. Introduction
  2. Background
  3. Understanding ReactFlightReplyServer.js
  4. Crafting the First Payload
  5. The Fake Chunk
  6. All Under Control
  7. The Exploit
  8. The Fix

Introduction

CVE-2025-55182 is rated 10.0/10.0 in severity. If you've looked at the public PoCs, you may have noticed that while they show the exploit working, the explanations for why the payload looks the way it does can feel insufficient—which makes perfect sense given how complicated the React Flight Protocol is. Flight, the serialization layer behind React Server Components and Server Actions, is an intricate 1,100+ line state machine, and its behavior isn't intuitive unless you trace the code yourself.

The community PoCs demonstrate the vulnerability clearly:

…but when you try to answer "Why does this work?", you quickly find yourself spelunking deep into React internals that were never meant to be read line by line.

Note: Many PoCs incorrectly attribute the fix to changes in requireModule. As we'll see in The Fix, the exploit payload never reaches that function—the actual vulnerable code resides entirely in ReactFlightReplyServer.js.

This write-up is my attempt to reverse-engineer the exploit chain by tracing React's decoding and chunk-initialization logic step by step. Every behavior discussed here comes directly from how ReactFlightReplyServer.js worked before the fix (reference: https://github.com/facebook/react/blob/v19.2.0/packages/react-server/src/ReactFlightReplyServer.js), distilled and simplified so that a React/JS developer can follow along with enough patience.


Next Section: Background

About

Step-by-step walkthrough of CVE-2025-55182 (React2Shell) by tracing React's Flight protocol internals.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages