Critical Vulnerability in React and Next.js Explained by John Hammond

In this video, John Hammond discusses a recently discovered critical vulnerability in React and Next.js that has sent shockwaves through the cybersecurity community. Known as "React to Shell," this flaw allows for remote code execution (RCE) without authentication, meaning an attacker can take control of a vulnerable server simply by sending a specially crafted request. With a CVSS score of 10.0, the highest severity level, this vulnerability is considered extremely dangerous, especially since it affects specific versions of React (19.0, 19.1.0, 19.1.1, and 19.2.0) as well as applications using Next.js.

John Hammond begins by demonstrating a proof of concept (PoC) using an old vulnerable version of Next.js (16.0.6) to show how the flaw can be exploited. By running a Python script, he manages to launch the calculator on his machine, illustrating the exploit's ability to execute arbitrary commands. What makes this vulnerability particularly concerning is that it requires no user interaction or prior authentication. In other words, an attacker can target any server running a vulnerable Next.js or React application and take remote control.

To explain the technical mechanism behind this flaw, John Hammond delves into the details of the React Flight protocol, used by React for data serialization and deserialization between the client and server. This protocol allows for the asynchronous transfer of objects and functions but has a flaw in how it handles JavaScript object prototypes. By manipulating the chunks (data fragments) sent via this protocol, an attacker can access an object's constructor and inject malicious code. For example, using special properties like proto or constructor, it is possible to bypass security checks and execute system commands. This technique is reminiscent of typical challenges in capture the flag (CTF) competitions, where participants must exploit similar flaws to gain unauthorized access.

The practical implications of this vulnerability are immense. According to analyses by companies like Whiz, nearly 40% of cloud environments contain vulnerable instances of Next.js or React, and about 44% of these environments publicly expose Next.js applications. This means that thousands of servers worldwide could be compromised if patches are not applied quickly. John Hammond also emphasizes that this flaw has been fixed in the latest versions of React and Next.js but stresses the importance of immediately updating all affected applications. He also mentions that detection tools and scanners will likely be developed to help security teams identify vulnerable systems.

In addition to the technical demonstration, John Hammond pays tribute to the researchers who discovered and reported this vulnerability, including Lachlan Davidson, who reported it to Meta, as well as Moritz Samp and Maple 3142, who shared detailed PoCs. He explains that the cybersecurity community was initially confused when non-functional GitHub repositories circulated, but the actual exploits were eventually published, allowing professionals to better understand and test the flaw. He warns of the risks of this vulnerability being widely exploited, particularly for deploying reverse shells or other types of malware, and encourages security teams to actively monitor their environments.

In conclusion, this video provides an in-depth analysis of a critical vulnerability that could have devastating consequences if not taken seriously. John Hammond combines a practical demonstration, accessible technical explanations, and concrete advice to help professionals protect themselves. He reminds viewers that, although this flaw seems complex, it can be exploited with relatively simple tools, making it a serious threat to internet-exposed infrastructures. For those wishing to delve deeper into the subject, he recommends consulting the links and resources shared in the video description.