CVE-2025-55182 (React2Shell) New Detection Profiles for Burp...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bountysecurity.ai/blogs/news/cve-2025-55182-react2shell-new-detection-profiles-for-burp-bounty-pro
• Blog Title: CVE-2025-55182 (React2Shell): New Detection Profiles for Burp Bounty Pro
• Suggested Section: Pentesting Web -> Deserialization (JavaScript/Node.js prototype pollution chains) and cross-link from Pentesting Web -> 80,443 - Pentesting Web -> NextJS

🎯 Content Summary

This post presents CVE-2025-55182 ("React2Shell"), a critical CVSS 10.0 RCE vulnerability (CWE-502: Deserialization of Untrusted Data) in the React Server Components (RSC) Flight protocol, heavily affecting Next.js applications. It also announces three dedicated Burp Bounty Pro detection profiles that provide safe, protocol-aware checks (in-band math-based PoC, Windows-specific variant, and out-of-band DNS/HTTP callback) for identifying vulnerable deployments.

How React Se...

🔧 Technical Details

Prototype-pollution RCE chain via React Server Components Flight protocol
The core trick is abusing the React Server Components Flight protocol’s reference syntax during deserialization to perform JavaScript prototype pollution and escalate to full RCE. An attacker sends malicious multipart/form-data where Flight references like $1:__proto__:then cause the deserializer to assign a controlled then property on Object.prototype. In the same payload, properties such as _formData.get are set to $1:constructor:constructor, exploiting the pattern object.constructor.constructor to obtain the Function constructor. Using process.mainModule from this execution context, the attacker calls process.mainModule.require('child_process').execSync('COMMAND'), running arbitrary OS commands under the Node.js process account. By throwing a NEXT_REDIRECT er...

🤖 Agent Actions

Summary:

• Expanded prototype-pollution-to-rce.md with a dedicated section on the React Server Components Flight prototype-pollution chain (CVE-2025-55182/React2Shell), covering the multipart Flight reference abuse, constructor.constructor pivot, and NEXT_REDIRECT-based exfiltration, plus a sample payload.
• Documented safe RCE verification primitives (Unix math, Windows PowerShell, and OOB collaborator callbacks) and detailed the new Burp Bounty Pro detection profiles with operational guidance and IOC hunting tips, including a cross-link to the NextJS pentesting page for endpoint discovery.
• Added mitigation guidance (patched versions, WAF controls, logging/IR actions) and updated the References section with the source blog.

Tests: Not run (documentation update only).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bountysecurity.ai/blogs/news/cve-2025-55182-react2shell-new-detection-profiles-for-burp-bounty-pro

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Deserialization (JavaScript/Node.js prototype pollution chains) and cross-link from Pentesting Web -> 80,443 - Pentesting Web -> NextJS".

Repository Maintenance:

• MD Files Formatting: 915 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0