React2Shell: Unauthenticated RCE in Next.js via Flight Protocol Deserialization

CVE-2025-66478 represents the Next.js-specific tracking identifier for a critical deserialization flaw in the React Server Components (RSC) architecture, widely referred to as 'React2Shell'. The vulnerability stems from the upstream React library (tracked as CVE-2025-55182) but primarily impacts Next.js applications due to the framework's default exposure of Server Actions and the App Router.

The core issue lies within the React Flight Protocol, a streaming protocol used to transport the Virtual DOM and component data from the server to the client. When a Next.js application processes a request (typically a POST request to a Server Action), it utilizes a streaming decoder to parse the incoming payload. This decoder supports a reference mechanism allowing parts of the stream to refer to previously defined chunks.

The vulnerability is a classic Deserialization of Untrusted Data (CWE-502). The decoder allows property access on referenced objects without sufficient validation. An attacker can craft a malicious payload that abuses this reference system to traverse the prototype chain (__proto__, constructor) and access the JavaScript Function constructor. Once the constructor is accessible, the attacker can instantiate it with arbitrary code strings and execute them within the Node.js context of the server.

The vulnerability is rooted in the resolveModel function within the react-server-dom-webpack and react-server-dom-turbopack packages. The React Flight protocol allows payloads to contain references, denoted by $ syntax (e.g., $1), which point to other chunks in the stream.

In the vulnerable implementation, the decoder permitted references to include property accessors, such as $1:key. While intended for legitimate object traversal, the logic failed to block access to sensitive internal properties. An attacker can supply a reference formatted as $1:constructor:constructor. In JavaScript, the constructor of a basic object is Object, and the constructor of Object is Function. This provides a direct handle to the global Function constructor, which is functionally equivalent to eval() when called.

Furthermore, the protocol supports a 'Bind' operator, denoted as $B, intended for lazy loading and binding arguments to functions. By chaining the polluted Function constructor reference with the $B handler, an attacker can force the server to invoke the constructed function immediately upon deserialization. The combination of unchecked property access during reference resolution and the ability to execute bound functions creates a reliable gadget chain for Remote Code Execution.

The attack leverages the specific structure of multipart/form-data requests that Next.js accepts for Server Actions. The attack flow proceeds as follows:

1. Stream Injection: The attacker sends a multipart request. The first part defines a JSON payload containing the malicious command string, but wraps it in a structure that appears harmless to initial inspection.
2. Reference Manipulation: The second part of the multipart request references the first part. The attacker uses the syntax $@0 to refer to the first form field.
3. Prototype Traversal: Inside the payload, the attacker uses the reference $1:constructor:constructor. The decoder resolves this by taking the object at index 1 and walking up its prototype chain to the Function constructor.
4. Execution Trigger: The payload uses $B (bind) to bind the malicious string (e.g., require('child_process').execSync(...)) to the Function constructor and executes it.

The lack of an allowlist for property accessors in the protocol parser is the definitive root cause.

Exploitation requires no authentication and can be performed against any Next.js application using the App Router (default in newer versions) that exposes a Server Action endpoint. Even if no explicit Server Actions are defined, the internal router endpoints may still be accessible.

Payload Structure: The exploit uses a specifically crafted JSON payload passed via multipart/form-data. The critical component is the _formData reference abuse.

POST / HTTP/1.1
Host: target.com
Next-Action: arbitrary_id
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
 
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="0"
 
{"then":"$1:__proto__:then","status":"resolved_model","value":"{\"then\":\"$B1337\"}","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="1"
 
"$@0"
------WebKitFormBoundary7MA4YWxkTrZu0gW--

Mechanism: In this payload, the _formData property exploits the get handler to resolve $1:constructor:constructor. The payload is designed to satisfy the thenable checks within React's internal promise handling, forcing the resolution of the malicious function.

Indicators of Compromise: Successful exploitation results in the command specified in the payload (e.g., whoami, curl) being executed with the privileges of the Node.js process running the Next.js server. This often leads to immediate reverse shell connections or exfiltration of environment variables.

The impact of CVE-2025-66478 is rated Critical (CVSS 10.0) because it grants full control over the server application without any prior credentials.

Confidentiality (High): Attackers can read all environment variables (process.env), which typically contain database connection strings, API keys (AWS, Stripe, OpenAI), and signing secrets. This allows lateral movement to other infrastructure components.

Integrity (High): Attackers can modify application source code, inject persistent backdoors (e.g., adding a middleware that logs all user credentials), or modify data in connected databases.

Availability (High): The attacker can crash the server, delete critical files, or deploy ransomware.

Since Next.js applications are often exposed directly to the internet (unlike internal microservices), the attack surface is vast. The vulnerability affects the default configuration of the widely adopted App Router.

Remediation requires upgrading the next package to a patched version. Vercel and the React team have released fixes that strictly validate references in the Flight protocol, blocking access to constructor and prototype.

Patched Versions:

• Next.js 15: Upgrade to 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 or later.
• Next.js 16: Upgrade to 16.0.7 or later.
• Next.js 14 (Canary): Upgrade to 15.6.0-canary.58 or downgrade to stable 14.x (which uses Pages router by default or older RSC implementations not susceptible to this specific gadget chain, though upgrading to v15 is recommended).

Immediate Actions:

1. Upgrade: Run npm install next@latest or yarn add next@latest immediately.
2. Secret Rotation: This is CRITICAL. If your application was vulnerable and exposed to the public internet, you must assume all environment variables (DB_URL, API_KEYS, SECRET_KEY) have been compromised. Rotate these credentials immediately after patching.
3. Automated Fix: Vercel provides a tool to assist with upgrades: npx fix-react2shell-next.

Temporary WAF Mitigation: If patching is not immediately possible, configure your WAF to block POST requests containing Next-Action headers where the body contains strings like $B, $@, or constructor:constructor. However, WAF rules are easily bypassed by obfuscation; patching is the only complete solution.