This is a Deep-Dive Lab that demonstrates exactly why CVE-2025–11582 (React2Shell) is a critical vulnerability. Before writing this lab, I was unfamiliar with React Flight Protocol. The process of writing this lab and working through the exploitation taught me quite a bit. Very interesting, this one!

Lab Steps: (Participants Will)

  • Define the React Flight Protocol: Analyze how streaming and serialization improve performance and user experience.
  • Assess Severity and Global Scope: Evaluate the CVSS 10.0 impact and evaluate real-world exposure data.
  • Learn About JavaScript Prototype Inheritance: Explore the __proto__ chain to understand how applications resolve properties and why "blueprint" manipulation is a critical risk.
  • Patch Note: This is the mechanism patched in the current versions of REACT. (End Users can no longer tamper with prototypes.)
  • Analyze Serialized Data Streaming: Investigate how data is divided into indexed 'chunks' and how the pointer-based system manages server-side function arguments.
  • Audit HTTP Traffic via Burp Suite: Intercept and dissect POST requests to identify framework-specific indicators like the text/x-component Accept header.
  • Automate Reconnaissance with Nuclei: Utilize the Nuclei engine to perform detection.
  • Execute Prototype Pollution: Manually craft a malicious multi-part stream to hijack the global Object prototype and achieve RCE.
  • Analyze the Exploit Line by Line: Examine what happens at each step of the exploitation process. Every line in the malicious POST request we create has a purpose.