Back to KB
Difficulty
Intermediate
Read Time
4 min

CVE-2025-55182 · React2Shell: RCE in React Server Components via Prototype Pollution

By Codcompass Team··4 min read

Current Situation Analysis

React Server Components (RSC) stabilized in React 19 alongside Server Actions, introducing a custom streaming serialization layer known as the Flight protocol. When a client invokes a Server Action, it transmits a serialized payload via multipart/form-data. The server deserializes this payload, executes the action, and streams the result back.

The core failure mode stems from the Flight deserializer's reliance on behavioral type checking rather than identity verification. The runtime assumes that any object possessing a .then method is a Promise and attempts to resolve it. This design assumption is fundamentally incompatible with JavaScript's prototype chain mechanics. Attackers exploit this by poisoning Object.prototype.then through crafted multipart POST requests, causing the deserializer to misidentify poisoned plain objects as Promises.

Traditional security controls fail to mitigate this attack vector for three reasons:

  1. WAF Blindness: Standard Web Application Firewalls inspect payload signatures and injection patterns. The exploit uses a structurally valid multipart/form-data request with no traditional injection markers, allowing it to bypass inspection entirely.
  2. Protocol-Level Abuse: The vulnerability operates at the deserialization layer, not the application logic layer. Traditional RCE detection mechanisms (e.g., command injection filters) do not account for prototype pollution triggering new Function() execution.
  3. Zero-Auth Surface: The attack requires no authentication, session tokens, or prior knowledge of the application's route structure. Any Next.js App Router endpoint processing multipart/form-data with a Next-Action header is inherently exposed.

WOW Moment: Key Findings

| Approach | Auth Required | WAF Bypass Rate | Execution Det

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

Sign in to read the full article and unlock all 635+ tutorials.

Sign In / Register — Start Free Trial

7-day free trial · Cancel anytime · 30-day money-back