The React2Shell Story

A security researcher reverse-engineered React’s undocumented Flight protocol out of curiosity and landed CVE-2025-55182, a critical RCE affecting millions of Next.js sites, fixed by Meta on December 3rd 2025.

What Matters

• Flight is React’s internal serialization protocol for Server Components/Functions; it has no public specification — “no docs, only code.”
• Flight supports prototype property references via $x:y syntax; sending $1:toString on a number retrieves Number.prototype.toString onto attacker-controlled objects.
• Guillermo Rauch called the missing prototype-chain guard “a glaring omission of a safety check.”
• TypeScript type annotations on Server Function parameters provide zero runtime enforcement; attackers can send arbitrary Flight objects regardless of declared types.
• The Function constructor is reachable through Flight’s allowed type set via .constructor chaining, enabling arbitrary code execution.
• Lachlan (NZ-based researcher) reported the bug November 30th 2025; Meta patched and published CVE-2025-55182 within three days.
• Sylvie Mayer co-investigated the weaponization puzzle; her separate blog post covers the post-disclosure timeline from GMT-7.

Original | Discuss on HN