A security researcher discovered CVE-2025-55182 (React2Shell), a critical remote code execution vulnerability in React's Flight protocol. The researcher reverse-engineered the undocumented Flight protocol used by React Server Components and Server Functions, finding that it lacked prototype chain safety checks during property resolution. By crafting malicious Flight payloads that abuse JavaScript thenables and React's internal Chunk object, an attacker could chain function calls to ultimately invoke arbitrary code execution via Node.js's module system. The exploit worked on any fresh Next.js/React app with no special configuration. Meta was notified on November 30, 2025, and released a fix within 3 days (December 3, 2025).
Table of contents
Monday - Taking FlightTuesday - Weaponising FlightWednesday - The Ridiculous CycleThursday - The First BreakthroughFriday - Tantalisingly CloseSunday - Refining RCE and SubmissionDisclosureAftermathSort: