A critical Remote Code Execution (RCE) vulnerability, identified as React2Shell, was discovered affecting React applications that implement the experimental react-server-dom-webpack library. The exposure was first reported by security researcher Yw Yw. This vulnerability allows an attacker to execute arbitrary code on the server running the affected React application, posing a significant security risk.

Understanding the React2Shell Exploit

The root cause of the React2Shell vulnerability is a Server-Side Request Forgery (SSRF) flaw within the server-side component of the react-server-dom-webpack library. The library’s server-side code did not properly sanitize or validate the ‘module’ and ‘export’ parameters within incoming requests. This oversight allows an attacker to craft a malicious request where the ‘module’ parameter points to an external, attacker-controlled URL. The vulnerable React server processes this request, fetches a malicious module from the attacker’s server, and subsequently executes the code contained within it. This action results in full remote code execution on the compromised server.

Impact and Official Mitigation

The successful exploitation of React2Shell grants an attacker the ability to execute arbitrary commands on the target server. This level of access can lead to a complete system compromise. The vulnerability is tied to the use of React Server Components, which was an experimental feature at the time of the report. In response to the discovery, a patch was released to address the SSRF flaw. Developers and organizations utilizing the react-server-dom-webpack package are advised to update to the latest version to mitigate the risk. Security platforms such as SentinelOne’s Singularity Cloud Workload Security are equipped to detect and block exploit attempts by identifying the malicious SSRF requests characteristic of a React2Shell attack.

Source: https://www.sentinelone.com/blog/protecting-against-critical-react2shell-rce-exposure/