The article details the discovery and disclosure of react2shell (CVE-2025-55182), a critical unauthenticated remote code execution vulnerability in React Server Components. The vulnerability stemmed from improper type validation in the Flight protocol, allowing attackers to construct arbitrary chunks and access object prototypes. The narrative follows the researchers' journey in identifying the flaw and the subsequent events, highlighting the technical challenges and collaboration across time zones.
Background
React Server Components is a relatively new feature in the React ecosystem that allows server-side rendering with more granular control. The Flight protocol is React's wire protocol for streaming UI components from server to client.
- Source
- Lobsters
- Published
- May 9, 2026 at 10:19 PM
- Score
- 8.0 / 10