As public PoCs are circulating and Google's Scanner uses a variation of my original submitted PoC, it's finally a responsible time to share my original PoCs for React2Shell.

This repository contains 3 PoCs:

• 00-very-first-rce-poc - the very first PoC I managed to develop for RCE. Only directly works on dev builds of Next.js sites that use Webpack.
• 01-submitted-poc.js (the main one) - the exact PoC I submitted to Meta, far simpler and effective
• 02-meow-rce-poc - the PoC hashed and posted as proof by Sylvie on November 29th, shortly before initial disclosure to Meta

TL;DR

Many other people have explained their PoCs, but here's my very brief explainer:

• $@x gives you access to a Chunk
• We plant its then on our own object
• The JS runtime automatically unravels nested promises (really, anything with a .then function)
• We now re-enter the parser, but with control of a malicious fake Chunk object
• Planting things on _response lets us access a lot of gadgets when this happens
• (insert several options here)
• RCE

Some Differences in PoC

You might notice my PoC has a funny thing going on in then. This was a nice primitive I was using for 'chaining' multiple chunks together, where resolve is passed to Array.map to let me "hop" to another chunk defined in $0.

The publicly recreated PoC circulating doesn't do this, as it's not necessary when just doing a single jump. It was nice to see that the re-created PoC did otherwise use the same _formData gadget that mine did - but the 00- PoC is a wild ride, if you dare try to read it :)

Full Writeup

Soon.