As public PoCs are circulating and Google's Scanner uses a variation of my original submitted PoC, it's finally a responsible time to share my original PoCs for React2Shell.
This repository contains 3 PoCs:
00-very-first-rce-poc- the very first PoC I managed to develop for RCE. Only directly works on dev builds of Next.js sites that use Webpack.01-submitted-poc.js(the main one) - the exact PoC I submitted to Meta, far simpler and effective02-meow-rce-poc- the PoC hashed and posted as proof by Sylvie on November 29th, shortly before initial disclosure to Meta
Many other people have explained their PoCs, but here's my very brief explainer:
$@xgives you access to aChunk- We plant its
thenon our own object - The JS runtime automatically unravels nested promises (really, anything with a
.thenfunction) - We now re-enter the parser, but with control of a malicious fake
Chunkobject - Planting things on
_responselets us access a lot of gadgets when this happens - (insert several options here)
- RCE
You might notice my PoC has a funny thing going on in then. This was a nice primitive I was using for 'chaining' multiple chunks together, where resolve is passed to Array.map to let me "hop" to another chunk defined in $0.
The publicly recreated PoC circulating doesn't do this, as it's not necessary when just doing a single jump. It was nice to see that the re-created PoC did otherwise use the same _formData gadget that mine did - but the 00- PoC is a wild ride, if you dare try to read it :)
Soon.
