ReactOOPs
Challenge Scenario
NexusAI's polished assistant interface promises adaptive learning and seamless interaction. But beneath its reactive front end, subtle glitches hint that user input may be shaping the system in unexpected ways. Explore the platform, trace the echoes in its reactive layer, and uncover the hidden flaw buried behind the UI.
Package Overview
`"dependencies": { "next": "16.0.6", "react": "^19", "react-dom": "^19"`
Next.js 16.0.6 appears to have a vulnerability from CVE-2025-66478.
CVE-2025-66478 Overview
A serious problem was found in React Server Components (RSC). The bug is called "React2Shell". It lets attackers run code on a server without logging in. They only need to send one HTTP request.
This issue is dangerous because Next.js is very common. Many websites use it. Since Next.js 13, the App Router is the default. If RSC is enabled, the site is at risk. No special setup is needed. Just a simple POST request can attack any route.
The weakness comes from React’s "Flight" protocol. This protocol moves data between server and client. During deserialization, React forgot to check hasOwnProperty. Because of this, attackers can move through the prototype chain and reach the JavaScript Function constructor. Then, they can run their own code.
The bug is inside these React packages:
react-server-dom-webpack
react-server-dom-turbopack
react-server-dom-parcel
Since Next.js uses RSC heavily, its App Router also has this problem. This makes the impact very serious for the modern web.
Exploitation
The exploit sends a crafted multipart POST request with a Next-Action header. The payload abuses the reference system to:
Traverse the prototype chain via
$1:proto:thenConstruct a fake "chunk" object that mimics React's internal Chunk class
Trick the deserializer into calling the JavaScript Function constructor
Execute arbitrary code when the resulting function is invoked as a Promise thenable
FLAG
HTB{try_by_your_own_(fakehere)}
Last updated