ReactOOPS - HackTheBox

Description

NexusAI's polished assistant interface promises adaptive learning and seamless interaction. But beneath its reactive front end, subtle glitches hint that user input may be shaping the system in unexpected ways. Explore the platform, trace the echoes in its reactive layer, and uncover the hidden flaw buried behind the UI.

Target: http://83.136.255.53:40960

Analysis

Initial Reconnaissance

1. Downloaded and extracted challenge files (password: hackthebox)
2. Analyzed source code structure - standard Next.js application with React Server Components

Key Discovery in package.json

{
  "name": "react2shell",
  "version": "1.0.0",
  "dependencies": {
    "next": "16.0.6",
    "react": "^19.0.0"
  }
}

Critical indicators:

• Package name react2shell - direct hint to the vulnerability!
• Next.js version 16.0.6 (vulnerable: < 16.0.7)
• React 19.x with Server Components enabled

Vulnerability Identification

The package name pointed directly to CVE-2025-55182 (also known as CVE-2025-66478):

• Name: React2Shell
• Type: Pre-authentication Remote Code Execution
• CVSS Score: 10.0 (Critical)
• Affected: Next.js < 16.0.7 with React 19.x Server Components

Root Cause

The vulnerability exists in React's Flight protocol implementation (ReactFlightReplyServer.js). The getOutlinedModel() function lacks a hasOwnProperty check when traversing object paths:

// Vulnerable code in getOutlinedModel()
for (let i = 1; i < path.length; i++) {
  value = value[path[i]];  // No hasOwnProperty check!
}

This allows an attacker to traverse the prototype chain using references like $1:__proto__:then, which:

1. Accesses Chunk.prototype.then
2. Enables code execution via the Function constructor
3. Achieves RCE through child_process.execSync()

Solution

Exploit Mechanism

...