The React2Shell Story
SMRTR summary
A penetration tester accidentally discovered a critical remote code execution vulnerability in React (CVE-2025-55182) while researching the undocumented React Flight protocol. By chaining prototype property access, thenable abuse, and React's internal Chunk class, they built a working RCE exploit against any default Next.js app. Meta patched it within days of the report, coordinating with Vercel and industry partners before public disclosure.
SMRTR provides this summary for quick context. The original article belongs to Daily.dev.
Read the original article