module
Unauthenticated RCE in React Server Components (React2Shell)
| Disclosed |
|---|
| Dec 3, 2025 |
Disclosed
Dec 3, 2025
Description
A critical unauthenticated Remote Code Execution (RCE) vulnerability exists in React Server
Components (RSC) Flight protocol. The vulnerability allows attackers to achieve prototype
pollution during deserialization of RSC payloads by sending specially crafted multipart
requests with "__proto__", "constructor", or "prototype" as module names.
This module supports multiple vulnerable frameworks including Next.js and Waku.
Components (RSC) Flight protocol. The vulnerability allows attackers to achieve prototype
pollution during deserialization of RSC payloads by sending specially crafted multipart
requests with "__proto__", "constructor", or "prototype" as module names.
This module supports multiple vulnerable frameworks including Next.js and Waku.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.