React

React (sometimes React.js or ReactJS) is an open source JavaScript library for developing user interfaces, that is, the frontend of websites and applications. Developed by Facebook in 2013. In fact, it is one of the elements of the stack for building dynamic web applications

The initial goal of its development is to simplify the creation of complex interfaces, ensure high performance and predictable behavior. React - a library, and not a full-fledged framework, is primarily responsible for the dynamic display of information. For routing, working with server logic, managing the state of the application at the project level, additional libraries are required at the developer's choice.

History

2025: Dangerous "hole" found in popular JavaScript library for developing user interfaces

FSTEC in early December sent a warning about the discovery of a critical vulnerability BDU:2025-15156^[1] in the open source JavaScript library for developing React user interfaces. The vulnerability has the highest level of danger according to CVSS version 3 - 10. It is associated with the server JavaScript element of the Next.js platform. For the error, an exploit has already been published in clear text, which can lead to massive exploitation of the vulnerability. Owners of web applications that use React and Next.js-based interfaces on their sites are advised to quickly upgrade to their new version.

𝓲

Фото: Ideogram

React allows you to create dynamic and responsive web applications. it uses a declarative approach in programming: when creating code, the developer indicates how the interface should behave when receiving certain data or events occur, and the library independently updates elements, focusing on these instructions. The task of the programmer is to correctly describe them. The server component of the React Server Components (RSC) platform is vulnerable. It allows the client application to send special serialized data to the server to call Server Functions using the Next.js module.

Next.js is a framework for developing web applications based on React. React components are used to build user interfaces, and Next.js is used to implement additional functions and optimization on the server. However, if it is possible to unauthorized deserilize the received packets, this component gives attackers the ability to quickly capture the Next.js platform and execute any extraneous code on it.

React is widely used in Russian companies, but the vulnerability affects a narrow segment - projects with RSC used in modern frameworks like Next.js (App Router), - Ekaterina Edemskaya, an analyst engineer at Gazinformservice, explained to TAdviser the situation. - Most organizations use React only on the client or use outdated architectures (Pages Router), while remaining safe. Risk is concentrated in large IT projects, fintech and startups actively implementing RSCs.

According to^[2] researchers at CyberOK, the vulnerability allows an attacker to remotely execute code before authentication. The problem is how React handles incoming requests for Server Function. It turned out that Next.js deserializes data without sufficient validation, which allows an attacker to execute arbitrary JavaScript on the server. This vulnerability belongs to the class of recovery in memory of invalid data (CWE-502). It is present in the requireModule () function of the react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack packages - their use must be checked to exclude the exploitation of this defect.

The vulnerability allows an unauthorized attacker familiar with the API of the server side of the React application to form a special request with a malicious load, "Konstantin Gorbunov, a web developer at Security Code, explained to TAdviser readers. - As a result, it is possible to execute arbitrary code on the target server remotely. This vulnerability could potentially be exploited for mass infection.

According to the SKIPA system, in Runet and neighboring regions there are more than 40 thousand servers connected to the Internet with the React RSC/Next.js stack. Moreover, a study by Wiz Research shows^[3]vulnerable versions of React/Next.js are found in about 39% of cloud environments. The vulnerability even received its own name - React4Shell. The developers have released updates for their software - the bug has been fixed in version 19.0.1.

Despite the fact that server assemblies are used less often than classic client libraries, they are gradually gaining popularity in large product teams and integration projects, "said Mikhail Timaev, head of the IT Task technical presale department, for TAdviser. - Therefore, the likelihood that vulnerable packages are present in the combat infrastructure is quite high.

Alexander Kolesov, head of development and research at Bastion, noted that you can't just take and exploit the vulnerability. It will run only if the application expects parameters and deserializes the data received from them. If there is no such processing, then it is impossible to exploit the vulnerability. Thus, if the application contains server logic, then code execution is available, and if only the client part of the React platform is used, then not.

About two months have passed since the release of the update to the publication of information about the vulnerability, which is a critically short period, says Alexander Kolesov. - It can be assumed that a large number of owners did not have time to install the update and remain vulnerable. In general, the exploit was written quickly enough for this vulnerability, and immediately for full exploitation. This allows attackers to sample vulnerable nodes in various systems, for example, using the shodan search engine, and carry out mass exploitation.

To protect users of the server part of the React platform from sad consequences, FSTEC experts recommend that safe versions of server components be quickly installed. However, in some cases, such a solution may not be available, then other methods of protection against exploitation of this vulnerability will have to be used.

At the perimeter level, it is important to use WAF to filter abnormal traffic and attack signatures, as well as restrict access to sensitive services according to "white lists," recommends TAdviser readers Kirill Levkin, MD Audit project manager. - Inside the infrastructure, SIEM and intrusion detection systems are needed to quickly detect operational attempts. Additionally, it is worth minimizing the rights of service accounts, isolating server components in containers and segmenting the network - this reduces damage even with a successful attack.

Notes