Critical RCE Vulnerability Discovered in React Server Components, Immediate Updates Urged

Source
#react #security #rce #server-components #cve

A critical Remote Code Execution (RCE) vulnerability, dubbed “React2shell” and scoring 10.0 on the CVSS severity scale, was publicly disclosed on December 3rd, affecting React Server Components. The exploit leverages a flaw in React’s proprietary “flight protocol,” which serializes and deserializes data between server and client in a modern React application. Specifically, the vulnerability allows attackers to hijack the server component flight protocol by manipulating internal state serialization, abusing the promise then property, constructor access, and blob key exploitation to achieve arbitrary code evaluation on the server. The vulnerability impacts React versions 19, 19.1, 19.11, and 19.2, as well as associated packages like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. React 18 remains unaffected, and patches have been released in versions 19.0.1, 19.1.2, and 19.2.1.

The vulnerability was responsibly disclosed by Lachlan Davidson via Meta’s bug bounty program on November 29th. The React team, in collaboration with Meta, responded rapidly, coordinating with major hosting providers like Vercel, Cloudflare, and Netlify to deploy temporary firewall mitigations. Despite these efforts, immediate updates to the latest patched versions are considered paramount, as firewall rules are not a complete safeguard and may be bypassed. A real-world incident involving a server belonging to a user named Eduardo demonstrated the exploit’s severity, leading to crypto-mining malware and root access due to an unprivileged Docker container running as root. Interestingly, an attempt by Cloudflare to roll out specific firewall rules for this CVE inadvertently caused an outage by misconfiguring their body parsing logic. The handling of the vulnerability, including rapid patching, cross-vendor collaboration, and Vercel’s subsequent $50,000 bug bounty for firewall bypasses, has been widely praised by the industry. This incident underscores the importance of stringent user input validation, prompt dependency updates, and secure container configurations.