- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
React2Shell Vulnerability in Action - Unauthenticated RCE in React/NextJS (CTF Demo)
🔔 Stay ahead of cybersecurity insights – Subscribe & turn on notifications!
In today’s video, we dive into the brand-new React2Shell vulnerability (CVE-2025-55182), a critical unauthenticated remote code execution flaw affecting React and Next.js applications. This CVSS 10.0 RCE is hitting the cybersecurity world hard — and the PerfectRoot CTF dropped a challenge using it only days after disclosure.
In this walkthrough, I break down:
- What React2Shell actually is
- How the unsafe deserialization works inside React DOM
- How to fingerprint vulnerable Next.js/React apps
- How to craft and send a working React Server Component exploit payload.
- How to safely test the vulnerability inside the PerfectRoot CTF
- Why this RCE is so dangerous (no cookies, no auth, full RCE)
- What developers and defenders must do to mitigate it
We also explore the Proof of Concept (PoC), debug payload issues, compare community payloads with TryHackMe’s working exploit, and finally achieve remote code execution to retrieve the flag.
React2Shell is a critical, unauthenticated RCE vulnerability caused by unsafe deserialization in React DOM’s server components. Any outdated React/Next.js app that supports RSCs can be compromised without authentication.
🚨 This vulnerability is already being weaponized in the wild, so make sure you update React, React DOM, and Next.js as soon as possible.
Takeaways:
- Inspecting server headers & router state tree
- Understanding the vulnerable React Server Components
- Why some payloads fail (timeouts, missing headers, sandboxing)
- Using the TryHackMe payload for reliable RCE
- Extracting the machine’s process ID and reading the flag
- Security impact and why CVE-2025-55182 is so severe
Chapters:
00:00 Introduction
00:30 ClassifiedReaction
React2Shell Information: https://react2shell.com
Rapid7 Blog: https://www.rapid7.com/blog/post/etr-react2shell-cve-2025-55182-critical-unauthenticated-rce-affecting-react-server-components/
🎥 What Makes You Different Podcast: https://www.youtube.com/playlist?list=PLdTw7mr-fqcjRlfC5u87y2kGI5PA-fhrC
Follow us everywhere:
🌐 Website: https://mresecurity.com
🔗 LinkedIn: https://www.linkedin.com/company/mresecurity
📘 Facebook: https://facebook.com/mresecure
📸 Instagram: https://instagram.com/mresecurity
Republic of Hackers Discord: https://discord.gg/tyft6vM8bt
Disclaimer: This video is for educational purposes only. It demonstrates ethical hacking techniques to improve cybersecurity, and MRE Security is not responsible for how viewers choose to use this information.
#cybersecurity #penetrationtesters #networksecurity #vulnerabilities #certifications #infosec #pentesting #certifications #cyber #security
Видео React2Shell Vulnerability in Action - Unauthenticated RCE in React/NextJS (CTF Demo) канала MRE Security
In today’s video, we dive into the brand-new React2Shell vulnerability (CVE-2025-55182), a critical unauthenticated remote code execution flaw affecting React and Next.js applications. This CVSS 10.0 RCE is hitting the cybersecurity world hard — and the PerfectRoot CTF dropped a challenge using it only days after disclosure.
In this walkthrough, I break down:
- What React2Shell actually is
- How the unsafe deserialization works inside React DOM
- How to fingerprint vulnerable Next.js/React apps
- How to craft and send a working React Server Component exploit payload.
- How to safely test the vulnerability inside the PerfectRoot CTF
- Why this RCE is so dangerous (no cookies, no auth, full RCE)
- What developers and defenders must do to mitigate it
We also explore the Proof of Concept (PoC), debug payload issues, compare community payloads with TryHackMe’s working exploit, and finally achieve remote code execution to retrieve the flag.
React2Shell is a critical, unauthenticated RCE vulnerability caused by unsafe deserialization in React DOM’s server components. Any outdated React/Next.js app that supports RSCs can be compromised without authentication.
🚨 This vulnerability is already being weaponized in the wild, so make sure you update React, React DOM, and Next.js as soon as possible.
Takeaways:
- Inspecting server headers & router state tree
- Understanding the vulnerable React Server Components
- Why some payloads fail (timeouts, missing headers, sandboxing)
- Using the TryHackMe payload for reliable RCE
- Extracting the machine’s process ID and reading the flag
- Security impact and why CVE-2025-55182 is so severe
Chapters:
00:00 Introduction
00:30 ClassifiedReaction
React2Shell Information: https://react2shell.com
Rapid7 Blog: https://www.rapid7.com/blog/post/etr-react2shell-cve-2025-55182-critical-unauthenticated-rce-affecting-react-server-components/
🎥 What Makes You Different Podcast: https://www.youtube.com/playlist?list=PLdTw7mr-fqcjRlfC5u87y2kGI5PA-fhrC
Follow us everywhere:
🌐 Website: https://mresecurity.com
🔗 LinkedIn: https://www.linkedin.com/company/mresecurity
📘 Facebook: https://facebook.com/mresecure
📸 Instagram: https://instagram.com/mresecurity
Republic of Hackers Discord: https://discord.gg/tyft6vM8bt
Disclaimer: This video is for educational purposes only. It demonstrates ethical hacking techniques to improve cybersecurity, and MRE Security is not responsible for how viewers choose to use this information.
#cybersecurity #penetrationtesters #networksecurity #vulnerabilities #certifications #infosec #pentesting #certifications #cyber #security
Видео React2Shell Vulnerability in Action - Unauthenticated RCE in React/NextJS (CTF Demo) канала MRE Security
Комментарии отсутствуют
Информация о видео
9 декабря 2025 г. 22:00:33
00:08:21
Другие видео канала
Will AI Change the World Like Social Media Did? | What Makes You Different Podcast | EP 9
What Are The Most SIGNIFICANT API Challenges Companies Face Today
The Truth About How I Broke Into Cybersecurity | 2025 Recap
Abusing EVAL Functions in PYTHON Using GLOBAL Variables
Exploiting SSTI | How to IDENTIFY This Dangerous Vulnerability
Start Mobile Hacking Today Completely Free #pentesting #security #skills
Chaining Vulnerabilities Together - SSRF to SSTI!
Penetration Tester Finds What Security Missed
Can You Trick A Firewall With A Simple Dot?
How to Make CYBERSECURITY Training Way More Exciting!
A Bank's Worst Nightmare API Vulnerability #cybersecurity #hacking #security
Who You Know Gets You Hired in Cybersecurity #pentesting #careeradvice #infosec
Boiler CTF TryHackMe Walkthrough: Command Injection to Privilege Escalation
Hack Real Networks: Pro Labs Explained | HackTheBox
This Simple Fix Reduces File Upload Attacks #penetrationtesting #security
PUT vs PATCH API Update Secrets Revealed!
Password Reset Vulnerability Let Me Bypass Authentication
How to Install & Use Burp Suite (Windows, Linux, MacOS) | Full Beginner Tutorial
Finding an UNAUTHENTICATED XSS Vulnerability!
Rate Limiting? Not Anymore With This Trick #security #hacking #waypoint
