React2Shell: CVE-2025–55182 | TryHackMe Write-Up
好的,用户希望我帮他总结一篇文章的内容,控制在100字以内,并且不需要特定的开头。首先,我需要仔细阅读用户提供的文章内容。 文章主要讨论了CVE-2025–55182漏洞,被称为React2Shell,这是一个影响React Server Components(RSC)和Next.js框架的严重漏洞。漏洞允许未经身份验证的攻击者通过特定HTTP请求执行远程代码,原因是存在不安全的反序列化问题。作者建议用户更新到补丁版本以缓解风险。 接下来,我需要将这些关键信息浓缩到100字以内。要确保涵盖漏洞名称、影响范围、攻击方式、原因以及解决方案。同时,语言要简洁明了,避免使用复杂的术语。 最后,检查字数是否符合要求,并确保内容准确无误。 </think> 文章介绍了CVE-2025–55182(React2Shell)漏洞,该漏洞影响React Server Components和Next.js框架,允许未经身份验证的攻击者通过HTTP请求执行远程代码。原因是不安全的反序列化问题。建议用户更新到补丁版本以修复此高危漏洞(CVSS 10.0)。 2025-12-17 06:31:54 Author: infosecwriteups.com(查看原文) 阅读量:12 收藏

Mochammad Farros Fatchur Roji

Non-members are welcome to access the full story here.

Here i want to share about my write-up for the room React2Shell: CVE-2025–55182 ↗ , explore the CVE-2025–55182 vulnerability in React server components. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Press enter or click to view image in full size

Task 1: Introduction

This task introduces CVE-2025–55182, dubbed “React2Shell,” a critical vulnerability (CVSS 10.0) affecting React Server Components (RSC) and frameworks like Next.js. The flaw allows unauthenticated remote code execution via a specific HTTP request due to an unsafe deserialization issue. To mitigate this, users must update vulnerable packages (like react-server-dom-webpack) to patched versions (e.g., 19.0.1+).

Having outlined the basics, let’s now dive into the key technical notes.

No answer needed

Task 2: Understanding React Server Components and the Flight Protocol

This section explains the architecture of React Server Components (RSC), where components are rendered on the server for performance. The server-client communication relies on the React Flight protocol, which handles data serialization using specific markers like $@ (for chunk references)…


文章来源: https://infosecwriteups.com/react2shell-cve-2025-55182-tryhackme-write-up-9b2fa332ca8e?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh