React2Shell Explained: The New Vulnerability Breaking Websites Worldwide

React2Shell represents one of the most significant shifts in web exploitation in recent years not because it abuses memory corruption, but because it weaponizes UI logic, turning modern frameworks into direct vectors for backend compromise. This vulnerability class impacts React Server Components (RSC) , a feature introduced in React 19 , and has already been acknowledged by major global platforms such as Cloudflare.

React2Shell exists at the intersection of:

• server-side rendering
• unsafe deserialization
• JavaScript engine behavior
• and internal object traversal

Its power comes from the fact that user-controlled inputs can reach the React Flight protocol, a serialization channel never meant to be exposed externally. Once that line is crossed, the attacker controls how the server interprets certain object structures, ultimately escalating into arbitrary code execution under the Node.js runtime.

Why React Server Components Are a Double-Edged Sword

Before dissecting the exploit chain, we need to understand the architecture that makes this possible.

What React Server Components Are

React Server Components (RSC) let React render components on the server instead of the browser. This improves performance and allows React to handle heavy logic before delivering the final HTML to the client.

The React Flight Protocol

Communication between the browser and the server relies on a protocol called React Flight, which handles:

• serialization of server-side component states
• deserialization of incoming client requests
• invocation of server-side functions (Server Actions)

The Flight protocol uses a custom serialization format with unique markers:

MarkerMeaning$@Chunk reference$BBlob reference$1:constructor:constructorDeep property path traversal

These markers were designed for internal use not for untrusted input.

But in specific deployments, especially custom SSR pipelines or frameworks exposing server actions externally, attacker-controlled data can reach this serialization logic.

This is where React2Shell begins.

Coaching and Mentoring Programs | The MasterMind Notes / Motasem Hamdan

The official Coaching and Mentoring Programs collection for The MasterMind Notes / Motasem Hamdan. Shop products like…

Exploitation Breakdown and POC

Researcher maple3142 published the first working proof-of-concept, turning a deserialization flaw into full remote command execution.

Here’s how the chain works in simple but accurate terms.

Stage 1: Forging a Fake Chunk Object

React internally uses “Chunks” to represent streamed data.
The attacker submits a multipart form request containing a crafted fake Chunk:

• The then property is set to reference Chunk.prototype.then
• When React processes it, the system treats it like a Promise
• React automatically calls the then() method
• The malicious object becomes the this context

Please view the full article from here as Medium filters some exploit codes.