CVE-2025-55182 · React2Shell: RCE in React Server Components via Prototype Pollution

This is a summary. The full analysis — root cause walkthrough, complete payload, exploitation framework, forensic artifacts, and patch diffing — lives at blog.deviannt.com. TL;DR: React's Flight deserializer evaluates any object with a .then method as a Promise, regardless of its actual type. An attacker poisons Object.prototype.then through a crafted multipart POST, forcing the server to execute arbitrary JavaScript via the Function constructor. The result is exfiltrated through the X-Action-Re