Critical Security Vulnerability in React Server Components

30 points by dbushell

taras

is there an explanation of actual flaw/exploit?

rbalicki

https://x.com/hd_nvim/status/1996351716732912102?s=46
- rw-rw-rw-
  
  These kind of PoC seems to be invalid according to https://react2shell.com/
- rbalicki
  
  edit: this apparently is not the actual exploit /shrug
- carlana
  
  Kind of insane that they pseudo execute code from the client.
dbushell

Not yet, only the relevant PR
- quasi_qua_quasi
  
  Definitely looking forward to seeing what it is; I don't know nearly enough about the relevant software to reverse-engineer the vuln from the fix. Maybe it involves getting the server to call an arbitrary function, rather than just the list of exposed ones.
  - danielrheath
    
    Given the hasOwnProperty checks added, I'd expect it relies on JS module imports having some 'magic' properties... but I haven't felt like digging any further before bed.
- ahobson
  
  The Ars Technica article links to https://github.com/ejpir/CVE-2025-55182-poc
  - Zurga
    
    The first issue in that repo says it is probably slop and the poc server has been set up to have vulnerabilities.
- rfmoz
  
  Anyone know a workaround that can be used in the meantime while the update gets done?