I'm just making a post API call over

here on your xyz.com. I run the same

thing. I will be able to do a console

log onto your server. Very very big

vulnerability. So I have I have written

one more code which will basically steal

some data. It can run any command on

your terminal also. Okay. See from my

browser I am able to access all the

files over here on my server. I can

create a file. I can delete a file from

here. It's very very crazy. It's a panic

situation over here. Or let me give you

a disclaimer. This is just for learning

purposes. This is just for educational

purposes. Please don't exploit

somebody's server because this is

dangerous. If you get caught, you can

get into legal issues.

If you are using ReactJS or Nex.js in

production, then 100% definitely you

have been hacked. You know anybody can

go inside your server, can take control

of your server, can execute any command

inside your server, can take away your

credentials, can steal your keys and a

lot of confidential data that lies on

the server. Yes, this is all of this is

possible and this has happened because

of the recent vulnerability security

vulnerability that has been found inside

React. Now I'm not kidding over here.

This is the official React documentation

which reports this vulnerability. They

have fixed it in the recent versions but

again there is a patch that you need to

fix in your projects as well. Now in

this video I'm going to talk everything

about this vulnerability from the

developer point of view. I'll also dive

into the code, show you a real demo of

how this vulnerability can be exploited.

Right? Everything I'll show you in the

code. I'll explain you the code of what

was happening inside the vulnerability,

why it happened, how they fixed it.

Everything I will cover in this video.

So wait patiently because this is going

to be a very good master class. If you

are a software engineer, you are going

to enjoy this video a lot.

Now first of all let's talk about the

first vulnerability because this is very

very critical and this is the most

critical vulnerability that has been

found in React and this is the most

dangerous one. How it is dangerous?

Because in this according to this

vulnerability an attacker can take

access to your server. They can execute

any command into your terminal on your

server trust me and they can do anything

right. If somebody gets access to your

server, then they can do anything,

right? They can stop your applications,

they can steal your keys, they can do a

lot of things, right? Lot of crazy

things on the server, right? So, what is

this vulnerability? Let's go through

this documentation because this is an

amazing documentation. You should

definitely read this. I'll link this in

the description also. But let's quickly

go through this because I am going to

cover the most important parts over

here. Read the first line. There is an

unauthenticated remote code execution

vulnerability in React server

components. Right? So what does it mean?

Unauthenticated remote code execution.

Even if you are not authenticated, you

don't have to do any SSH, you don't have

to do anything. You just get access to

the server. And why this has been

possible? You must be thinking React is

a front-end library. How does this

happen? Let me tell you my dear friends.

This is happening because of React

server components. Now, React has React

is not just a front-end library anymore.

With React server components, React's

front end also talks to the React server

on the server, right? Reacts back end.

So now with React server components,

this vulnerability has been exposed

while serializing and deserializing the

data that is sent from your browser to

the server. Now this looks this sounds a

little complicated. Don't worry, I'll

explain you in detail. But let's first

of all go through this. This

vulnerability was reported on November

29th by Latchelin Davidson. He's a

security researcher and I was just

browsing through and I was just finding

more about this guy, right? He's an

amazing guy. I found him on LinkedIn

over here. He is a security engineer

already from New Zealand and he's

working as a security you know

innovation lead in a company known as

Carropase. Right? So he's a security

engineer. He has found a vulnerability

and reported it to Meta on 29th of

November and the Meta team verified it

and fixed it and this blog was released

on December 3rd. Right? So, and React

team has made it mandatorily and they

have strictly said that we recommend

upgrading immediately put up the patches

otherwise this is a threat to your

applications. Right? It's a very serious

vulnerability.

Now let me talk about the seriousness

also. See this this vulnerability was

disclosed at as CVE 20255182.

What is this? So basically what happens

is whenever there is a critical

vulnerability, right? So they are

reported over here like this, right?

This is a this is a unique number that

is given to every vulnerability. So this

is known as common vulnerability and

exposure. Yes, common vulnerability and

exposure. And this is the year 2025. And

this is the number unique number right

it just keeps on increasing with every

vulnerability right so this is kind of

like a identifiable uh you know

parameter for this particular

vulnerability and it has been given a

score of 10.0 0 CVSS score. What is the

CVSS score? Let me talk about that also.

Common vulnerability uh score, right? It

is a common vulnerability security score

or something like that, right? So, this

is basically, you know, se it talks

about the severity of the bug, right? It

it talks about the severity of the

vulnerability. It says that it gets a

score of 10 on 10. And let me tell you,

my dear friends, 10 on 10 is a huge

vulnerability. That means it's a panic

kind of a situation. What this is the

meaning of this 10.0 right over here 10

out of 10 score. This is a very very

critical vulnerability that has been

found and it has been found inside React

packages.

Now where is this vulnerability? This

vulnerability was present inside the

versions 19.09.1.0

19.1.1 and 19.2.0 of these packages. And

now if you are using ReactJS, if you are

using Nex.js then you definitely would

have been using these you know as the

dependencies inside your React or Nex.js

projects automatically and that is why

your project has also been compromised.

Just go ahead find it out and you will

see that your project has also been

compromised. Now what is the immediate

action that React team suggest? You have

to upgrade your versions. Just go onto

your project and upgrade your React

versions right now. Read this

documentation. I will link it in the

description of this YouTube video. Go

ahead and upgrade your versions to

19.0.1, 19.1.2 or 19.2.1. Right? So,

they have fixed those things over there.

Now you know uh

a most amazing part about this

vulnerability is that you must be

thinking ash I'm not even using react

server components is my application

still vulnerable the answer is yes

amazing isn't it even if you are not

using react server components even if

you hate react server components you

know when react server components came

in there was a the community was divided

into two parts Right? Some people liked

it, some people appreciated it and and

there was a huge developers who were you

know against this react server

components but again it's again

debatable but even if you are not using

react server components right even if

you are not using them you still your

code is still vulnerable your

application is still vulnerable because

the vulnerability lies in how the

protocol of react server components work

and the code is there so you are not you

know you are left with it. Now, React

team itself says that if you are using

Next, you are using React Router, you

are using Vaku, you are using parcel,

VJS, every anything you are using right

if your application is built on React or

Next, you are you know screwed. You your

your app has been vulnerable.

This is just the first vulnerability

that has been found later on. This was

on December 3rd. Later on just after a

week on December 11th again react team

announced that there are two more

security vulnerabilities that has been

found inside react two more and what

were these the first one was the first

one was remote code execution this was

of 10.0 zero score. Now there were two

more vulnerabilities that has been found

that were denial of service. It is kind

of like a DOSS attack. Now let me

explain this in a little fancy term

right. So what was denial of service

attack? So now in this vulnerability a

attacker can run a code onto the server

and it can make your code go in infinite

loop. So what will happen? Your code

will go into an infinite loop. Your

server will kind of like freeze and then

your website will become not responsive.

Right? it will it will become not

responsive or it will just take up a lot

of your resources. it will consume a lot

of memory and you will not realize how

that happened right so this was again a

severe vulnerability and this has been

you know reported over here as CVE 55184

now you would see the score given over

here is 7.5 why 7.5 because if I want I

can just make your application down

right I I can just run a code right I

can just kind of like a make an see

exposing and you know um you know explo

exploiting this vulnerability is as

simple as just you know making an API

call. You just make an API call, your

application is down within few minutes

or seconds. It depends on how big your

server is. Within few minutes, your app

will be crashed. Right? So this is a

huge vulnerability in itself. It has

been given a score of 7.5 out of 10.

This is again a you know critical

vulnerability. And the third

vulnerability that was found was source

code exposure. What does it mean? source

code exposure vulnerability means that I

can send an API call and I can get the

source code of your application you know

I can get the source code of your react

server components into the front end now

you must be thinking a is it a very

critical vulnerability it's not and if

you see over here the score given to

this might be low yes it is it is 5.3

right it's not that very severe why and

why it is severe also let me tell you

see generally whatever ever code you

write in react server components that is

generally you know safe to get exposed

right uh a lot of projects are open

source where you generally see the react

server component codes on GitHub

repositories as well right so it's not

critical to expose that code you can you

can see that code you can look at that

code anybody can read that code that's

completely fine but what happens is

sometimes some people hardcode keys

inside their code if you're hard- coding

keys inside your code if or if you're

writing some you know see every project

is not open source if you somehow want

that somebody should not get access to

your code but still they can get access

to your code it's a vulnerability isn't

it and I have seen a lot of people they

put hard-coded keys inside inside their

projects they don't make environment

variables or something right if you have

put in hard hard-coded keys inside your

code then this can be exploited your app

can be exploited using this

vulnerability so these vulnerabilities

are kind of related to React server

components and back on back back one

after the other these vulnerabilities

were found. Why? Because first of all

this critical security vulnerability was

found in and the whole hacker community

the ethical hacker community got to know

that okay now React server components

are kind of vulnerable. So they started

digging into it right they started

playing around with it and they found

out two more vulnerabilities.

Now we might see a lot more

vulnerabilities coming in because there

has been a lot of buzz around this

right. So a lot of hacker community is

just trying to break everything inside

react. Uh we might see more but three

are definitely confirmed by react team.

They have fixed it up and the patches

are there to release it. Let me tell you

when they released a patch on December

3rd, right? They they they were saying

that okay upgrade onto this version and

then later on just after a week right

two more vulnerabilities came in and

then they are just saying that the

patches that were published earlier are

again vulnerable right so some people

you know patched this up right the first

one first security vulnerability now two

more vulnerabilities came in so if you

have patched that don't think that you

are safe patch it again right you have

to patch it again today if you are

watching this video Please patch the

latest uh version of React. That will

save you otherwise you are vulnerable,

right? And it says that immediate action

is required, right? So you have to just

do it uh immediately because uh this is

a very critical thing and let me tell

you this is kind of like a panic

situation and if you are working for a

company you might have got a circular

already u you know to fix it up. So

please fix it up. The fix is not that

hard. you just have to bump up your

version of React and everything will get

sorted.

Now the best part about these

vulnerabilities was you know uh cloud

hosting providers like AWS versel they

came in together cloudflare they came in

together and they have tried to you know

protect your websites on their own front

right so if you are on cloudflare if you

are using AWS or if you are using you

know if you are using versel then these

companies are already putting up you

know firewalls to reject those requests.

If somebody is maliciously trying to

access your server, they are trying to

provide uh they are trying to, you know,

protect you. But again, you know, not

100% of the applications are always

secure. So, please make sure that you

are upgrading or, you know, patching up

your services because that's really very

important. That's the right fix of this

vulnerability. So as soon as I found out

that this vulnerability has been

exposed, I was very keen and I was very

curious to find out what happened and

what exactly caused this vulnerability

and how I can exploit it. So now I'll

show you a very small example where I'll

actually show you a NexJS application

which can be exploited right now using

this vulnerability. Now let me show you

the real demo live demo over here right

now. Okay. So uh please don't attack any

you know official websites because this

is still uh this vulnerability is still

present in a lot of website on the

internet. Please use it very carefully.

Uh because you know accessing somebody's

server unethically is very very

dangerous and it is kind of like illegal

to do it. So please be careful while you

are doing it. Please just do it on your

dev environment. Uh whatever I'm doing

do it on your dev environment to stay

safe. Okay. So first of all let me

create a nexjs project. So uh let's

create a nextjs project and I'm

installing the nextjs app version 16.0.6

because this is not this was the version

which was not fixed. Okay. So I'm

creating a new project and I'm calling

this as namaste. Okay. So let's create a

npm uh uh sorry next.js project and you

know I'll show you that I'm not even

using any I'm not I will not create any

components. I will not use any react

server components over here. And still a

new app, a new NexJS scaffold is also

vulnerable. You would see that. Okay. So

let it install, let it create the nextJS

project. Then I'll show you.

Meanwhile, let me also talk about uh you

know this guy Latcheland Davidson. He

found out you know uh this vulnerability

and he called this as react to shell,

right? He created this website as well.

React to shell where he is providing

more details about what is react to

shell u and how severe this

vulnerability was right so he has given

a lot of things and the most important

part that I found out was this proof of

concepts now a lot of people lot of

students also asked me a how do you find

out these stuff how can if suppose

somebody of you are interested how can

you research more about this

vulnerability let me tell you this is

the place to go right go to

reacttoshell.com find out Right? This

guy Latchlan has also shared their P.

Right? If you see the PC's, right? So he

has shared these PC's. What is P? P

means working exploits, right? Working

code that has been submitted. It's kind

of like a proof of concept of this

vulnerability, right? So he has shared

what he shared as a P, right? So this is

a this is a good study material again.

So he basically uh let me just show you.

So this was the very first RC P right

remote code execution PC. So basically

he actually sent this request. This is

the malicious request this was sent to

server. And when this request was sent

to the server so what happens is let me

just give you a small description also

that how this vulnerability uh works

right because as a software engineer I'm

not just here to show you that okay this

happened just fix it. No, I want to go

and explore this vulnerability from the

software engineer point of view also

right what's there in engineering that

was happening behind the scenes this you

know so uh you know there is a when

react see we have a front end you all

understand that there is a front end and

there is a back end front end talks to

back end in terms of APIs right you make

a make a rest api call and then you talk

to your back end that's a general

protocol But what happens is when you

use react server components or when you

use react so if react front end wants to

talk to the server they use a different

protocol it's not a normal API call that

you do right it's a different protocol

altogether and that protocol is known as

flight protocol and this is used by

react right so now when react uses this

flight protocol so what it does is when

it is sending data from front end to

back end so it serializes is that data,

right? It serializes or you can in a in

a layman language you can say it

encrypts the data or something like

that, right? It encrypts the data. It

serializes the data and then when it

goes to the server and server it

deserializes the data make it into

JavaScript readable objects and then you

know it continues further. It uh it you

know runs that code right whatever the

code is there. Now what happens is u

this guy latchlin he sent this request

right this looks very you know

complicated to read don't worry I'll

simplify this also right don't worry

about that so it he sent this request

and it was kind of it it it was

vulnerable right he was able to execute

some commands onto the server right now

this was the original P now you would

see 0000 1 02 right so this was the

first P that he

Then he submitted a new P which was

slightly more you know this this would

look very complex right this looks very

complex to explain so that's why he

created a simpler version of it and he

submitted this P to meta right so this

was actually the P that he sent to meta

and this is much readable code this is a

much readable code you can go over here

and read this piece of code you will

understand it I will also explain you

the most important part over here is

this payload this payload payload is the

one which is causing the you know uh the

server to get compromised right this is

the one and you know uh over here over

here if you will read you know this guy

what he did so over here if he is

sending this prefix he's sending a

command console log 7 into 7 + 1 so if

this commands get executed to the server

that means right that means if this

commands get executed on the server that

means means somebody can remotely

execute anything onto your server. So

right now he's just doing a console log

over here. He can also write commands

that can run inside terminal. You can

create folders, you can delete folders,

you can you know copy it, you can make a

curl request. Think about you make a

curl request to an API call which is

your API call and steal all the

environment variables the keys of your

AI uh keys and you know um and you know

what what I would suggest you it can it

can take up any you know it can take up

your database keys it can take up your

AWS keys it can take up your payment

gateway keys anything any security

credentials are there everything can be

compromised and they can also make you

handicapped that you cannot even you

know uh do a SS SSH onto your server.

They can take away access from your

server also. So they can do a lot of

things. Trust me it's like uh your

friend has got access to your computer.

So he's onto your computer computer and

he can do anything inside your computer.

Right? So this is what actually uh a

person can do a attacker can do. Right?

And the third file that is there is a

much simpler version of the same

vulnerability. This is mow rce. So this

is this is much simplified version of

the same thing and this is much readable

also. So go through this you will

understand it a lot.

Now let me go back I think we so yes so

our nextjs project is successfully

created. See this this is a typical

nextjs app. Now I am going to show you

how this is vulnerable and how you can

attack such application. So generally

what happens is now let me tell you

because I'm doing this on my local

system. So assume my local system is my

you know uh my local system is my

uh server right this is the server right

so what happens is if you will install

this application onto server what will

you do so first of all let's go to this

folder right so I'll go to cd namaste

right I I'll go to this uh you know our

application namaste now what I'll do

I'll run npm rundev right so basically

this is how you basically execute uh

this project Right? You run this

project. When you run this project, so

this project is now live at localhost

3000. Right? Let me just show you how

this project looks like. Right? Local

host 3000. So this project is live on

localhost 3000. Right? So this is a

basic simple nex.js application. Right?

Basic simple nexjs application. It's a

normal application. I have not created

any react server components. So now what

I'll do I'll just go over here and run

something on console. So what happens is

I'll just run a piece of code. I am just

kind of like making an API call, right?

I'm making an API call from my console

to the back end. Now where is the back

end? The back end is my system over

here. And assume this browser can be

accessed by anyone on the internet.

Right? Right now my uh website is on

local host 3000. But if if it is on some

domain name also right xyz.com or

axes.in

uh if it is there you can still run this

on your uh you know browser. So suppose

if somebody a user is coming onto the

website he just have to run a small

code. Now what is that code? This code

is over here right? So let me just copy

this code. I have written this code

right? Uh you can take up this code

also. Uh here is the code. You can read

it up and you can take the screenshot

also or you just find it out. I'll just

maybe uh comment down this code into the

description also. It's a very common

code. Uh I have just com see this what

is this code. See this code. I have just

taken this code and I have crafted this

into a executable code over here in the

you know console. So what I did is I

took up this code and I have crafted

this uh to execute it on on our browser.

So that's what I did. I'll just link

this code also. Don't worry. But what

I'm doing is right I'm just making a

post API call over here. Uh

and you know what I'm doing I am just

passing this payload JSON. See this I'm

just passing this payload JSON. Now you

must be thinking now the most important

part over here is not all these things.

These all things are just you know dummy

code uh extra things that I have

written. The most important part over

here is this part. This is the most

important part that you need to

understand. See this the payload this is

what I am sending this payload JSON is

what I am sending to my backend server

now when this when this code will go

onto the backend server it will execute

this line console.log meow meow right it

will execute this line console.log log

mama on my server. Now let me run this

code. 1 2 and 3. Let me hit enter. It

hits enter. It made an API call. It made

an API call. If you'll go to network

over here, if you'll go to network over

here, it has made a API call / namaste.

Right? And this call has not yet been

resolved. See this this call has not yet

been resolved. It is just wast waiting

for the response. See this it is

pending. And if you will see on the

server meow meow has been printed. This

is a very very very big thing my dear

friends very big thing. Think about it.

If I do the same thing if I run the same

thing on your website on your xyz.com I

run the same thing I will be able to do

a console log onto your server. Isn't it

lethal? It's very very lethal. very very

big vulnerability. Shall I show you one

more step ahead? This is just a small

console lock. So I have I have written

one more code which will basically steal

some data, right? Uh it can run any

command on your terminal also. Okay. So

this is much more lethal. So I have just

modified this code. This was just a

console log that I was doing, right? So

this was just a small console log that I

was doing. Where it is? I was just doing

a small console log. But instead of a

console log, let's do something more

crazy. Right? So what I did is this time

the payload is slightly complicated. So

what I have done is I am going to

execute a command cmd. What is this

command? Write any command over here.

Write any command. See this echo

vulnerability test. Over here you write

any shell terminal command. Shall I

write ls? If I write ls that means I can

run list of files and folder inside your

server. Right? So let's just do this ls

and let me run this code. See what will

happen. If I run this code, you will see

that I have got all the server package

information.

See from my browser I am able to access

all the files over here on my server.

Don't think that this is the local

system. Think about this app is deployed

on some server. Now if I run this code,

I can get all these list of icons. Do

you believe this? And over here I can

also get access to the env file. Just

like I can get access to your

package.json over here, I can get access

to your env file also. In fact, instead

of ls, I can do a lot more thing. Let me

show you even more crazy thing, right? I

can even run a curl command from here.

Instead of doing a ls let me just show

you if I write touch and u let's create

a folder I was here right I was here and

if I hit enter see this command exploit

successful right so I have created if

you will go over here see this I was

here folder is created inside my

repository now think about it somebody

is accessing your website on a browser

and they have got access to your code

base how crazy it is right they can see

this suppose think about it if you if

you just you know u if you just deploy

your application onto the server or if

you log into your server and you

randomly see a folder I was here right

over here must be crazy isn't it I can

create a file I can delete a file from

here I can literally delete a file also

right if I if I write a rm command I can

remove that file also isn't it crazy.

It's very very crazy. It's a 10 on 10

CVSS score. It's not a small thing. It's

a panic situation over here. And let me

tell you those of you who have not fixed

your React or NextJS projects, this

thing can work over there also. You have

to just run this code. But let me tell

you my dear friends. You have to be very

very you know uh careful. Just use it on

your local system. Don't exploit

somebody else's website. Don't steal

anything because this is uh unethical uh

and it's illegal. And uh this is just

for let me give you a disclaimer. This

is just for learning purposes. This is

just for educational purposes. I am

again giving you a disclaimer that

please don't exploit somebody's website.

Please don't exploit somebody's server

because this is dangerous. If you get

caught, you can get into legal issues.

Okay? Please avoid doing it. I know uh

we software engineers are very curious

and I myself am very curious to teach

you a lot of stuff but be responsible

you know with great power comes great

responsibility you have to be

responsible don't attack anybody's

website I'm telling you right away this

code as it is can run on a lot of

websites I don't want to name them I

have tried it I have not done anything

illegal over there but yes this works

100%

just by going on to anybody's domain.

Just run this code from the browser and

they are spawned. Right? So, uh this was

it. This was a very crazy vulnerability.

This was a crazy demo.

Now, those of you who are interested can

continue watching the video. I'll

explain you more in detail that what

this code actually is doing. Right now,

I'll explain you the code also. See, I

am a teacher. I am not just here to do

some fancy stuff and just don't explain

you anything. No, I want to explain you

the whole vulnerability,

why it happened, how you can fix it,

what we can learn from it. Everything

I'll cover in this video. This video can

go a little longer, but again, right, I

am very curious to teach you. So, let's

see it. Right? So, now

u you know, and I'll also tell you the

fix. I'll also show you the GitHub fix

that React team has given for this right

and how they have fixed this code right

first of all let me show you a tweet by

Galermo Roch right so this is he is the

CEO of Versel right now I I'm not sure

how to pronounce this name but he is CEO

of Versel and he has tweeted right

amazing thing if you go through this

tweet you will understand what is

happening right it's a beautiful tweet

it's a beautiful you post that he has

posted out around this. I would suggest

you to go read on it. Uh you will

understand what is actually happening

inside whole thing right and now why

this first of all let me tell you why

this vulnerability happened. It's all

because of JavaScript.

Amazing, right? So, JavaScript is crazy.

And because of JavaScript's, you know,

JavaScript's dynamic nature, right?

That's why everything is happening. You

know what happened? The attacker abused

the inherent dub duct typing in

JavaScript. Now, I want to explain you a

concept of duck dub duct typing also.

So, this is a very important concept

that you should understand and something

you should take away from this video

also. Now you have come to Axasani's

video. I will definitely I have not made

this video to just have fun. I'll teach

you something. So I'll explain you what

is duct typing. But understand that

because duct typing happens inside

JavaScript. This was exposed, right?

This this vulnerability was exposed. Now

what happens is if you read read this

article, it's a very amazing article.

But let me just quickly go on to the

main core part of it. Right? So this was

the code basically that was sent as a

payload in that API call. See this was

the code. It is a very simplified

version and let's just see this right.

So and you know if you can somehow the

attacker just want to somehow execute

this console log right this console log

onto the server. Now they are sending

this kind of an object. Let me just you

know put this code over here. Let me

create a new file and let's say code

right. So code and then I have put this

code over here. So now this is the code

over here. Let's understand this one by

one. So it is not just a normal

JavaScript object right. So this is

basically the payload that is sent to

the server. Right? Now as I told you

there is a flight protocol right? If you

will read about it so there is a flight

protocol. U this guy might have also

talked about that right? Uh I'm not

sure. Yes. See this while the flight is

intended to transport user objects lchen

lechelen found a way to confuse react.

So what this guy did he confused react

by sending this kind of a payload. Now

what this payload is doing I'll tell you

in a very easy way right so that you can

understand it. Um you know it is

slightly complicated to understand even

I have to go through uh some

documentation. I have to go through a

lot of resources to myself understand

what's happening. Definitely this guy

deserves a round of applause. Latchel

Davidson, right? He has really cracked

this up. U when I was reading this code,

I did not understand anything. I had to

go through a lot of documentation and

blog articles and lot of various places

to understand what actually this code is

doing. I'm going to explain you because

this is very very crazy. First of all,

this is kind of like a way how React

talks to the React server components,

right? how React server components talk

from uh so see how front end talks to

the react server right so how they

communicate with each other so this code

basically this payload is basically sent

to the server now this code is sent in

chunks so you see this zero you see this

one these are chunks and now if you see

what latchen has discovered if you will

see the original P that he submitted you

would see a lot of chunks over here just

give me a see this 0 1 2 3 4. So there

are a lot of chunks and you know the

initial RC let me just go to the very

first RC. So it had a lot more chunks.

See this 1 2 3 4 5 6 7 8 9 10 14 it has

chunks till 20 right 19 20. So now what

these chunks are doing let me just

explain you. I have we have just

simplified oversimplified this uh to

make you understand. Now what's

happening is this chunk is numbered

zero. This chunk is numbered one. Now

what does this dollar at the rate zero

means? Dollar at the rate zero means it

is referencing to this object. Right? It

is referencing to this object. It is

kind of like a reference to this object.

Got it? And now when this object was

sent, this object is treated as a

promise on the server. Do you understand

this? Let me explain you. This object is

treated as a promise on the server. Now

why this is treated as the promise is

again an amazing thing that comes onto

JavaScript. Duct typing.

Uh what is duct typing? Let me explain

you that because this is very

interesting in computer programming.

Duct typing is an application of duct

tag. See uh forget about this

definition. I'll explain you in a very

layman terms. If something if something

walks like a duck, it walks like a duck

and it quacks like a duck, then it must

be a duck. So what happens in

programming is if suppose I have this

earphones, right? If it walks like a

duck, it quacks like a duck, then it

must be a duck. So what happens if if

there are two three things that I know

about something that are true, then it

must be something, right? So that's

that's concluded. So now this is a very

uh interesting part and it's a funny

thing also. So you know in computer

programming if it works like a duck and

it quacks like a duck then it must be a

duck. What does it mean over here?

Right? Let me tell you what does it mean

over here. It means that if there is an

object and it has a den on it and

promises also have then on it. So if

there is something like a object which

has then on it and promise is also

something like a object which has then

on it then this thing which has a then

on it should also be a promise. Right?

So amazing right? It it u it is very

fancy and it is very crazy to think

about it like that. But JavaScript duct

typing means that this is an object and

this has a then on it. So it must be a

promise. So it is like if it walks like

a duck it is if it quacks like a duck

then it must be a duck. So similarly if

it is an object and if it has a den on

it then it must be a promise. So it

assumes

uh so the server or the react assumes

that this is a promise right and

whenever there is a promise then you

have a then on it and it's a thenable

promise right you have a then so it has

to await right it has to await so what

happens this then is executed when this

then is executed it references to the

one round see this so see one the chunk

number one is referencing to this object

and this then variable able is

referencing to the then of this object.

So see this dollar one means reference

to zero. So basically it is self

referencing itself. Do you understand

that? This is slightly complicated to

understand. Just understand it. Let me

make it a little lesser zoom. See this

one is self one is referencing to zero

and the zeros then is referencing to

dollar one. This means it is referencing

to itself then. Right? It is referencing

to itself then. So what happens is when

it references to itself then it assumes

it like a promise and it executes it

right? It executes it. And how does it

executes it? Let me tell you

this guy was very amazing right? This

latch guy is very brilliant. What it did

is it exploited React's code. So React

was checking whether whether this is

resolved right he already put this

stator as resolved. So basically it it

he has just written resolved over here

that means it assumes right react

assumes that this has been already

resolved and now it can execute the

code. Now how does it execute the code?

It does not execute the code directly.

React has checks for it. Reacts already

had checks for it. But what happened is

React generally do something like this

form data.get. So there is something

like this right underscore form

data.get_form

data.get. So it does something like this

underscore form data.get and when it

calls this function form data.get it is

a string right? It's an executable

string. Now what happens over here? If

you'll see this is referencing to the

self object. So basically it's a

self-referencing object right it's a

self-referencing loop that has been

created so this self-referencing loop is

basically tricking react over here he

has been successful in making react fool

first good thing that he has done is he

has manipulated this right manipulated

this first of all he has done this

self-referencing first of all he has

done this self-referencing loop the

other the second major reason was

He created he used this resolved promise

right? So it kind of acts like a

resolved promise. And the third thing is

he exploited this form data.get. Now

when you get the form data there get so

it is taking it is somehow accessing the

constructor function constructor. Now

when you get the access to function

constructor you can do anything. Trust

me most of the vulnerabilities that you

will find right most of the

vulnerabilities that has been find most

of the attackers they try to do

something like this in your code right

inside JavaScript there's a function

eval and if you write anything inside

eval that can be executed like this and

similar to eval there is also a function

constructor something like this function

and you execute anything over here it

will execute directly right so both of

these are scary, right? Both of these

things are scary.

What happens is when you get access to

this function constructor, right? So you

will see a lot of people try to do

something like this eval when they

exploit or they do or they want to call

a function constructor or they try to

also access your prototype chain. Right?

You might have heard about underscore

protocore. If you don't know about all

of these things, right? If you don't

know what is promises, if you don't know

what is underscore proto, I have made

all these videos in namaste javascript

on my YouTube channel itself understand

it. What is prototype chain? So they try

to go in through your prototype chain.

When you go through the prototype chain,

you can get access to a lot of you know

properties deep down inside the

prototype chain. Right? So somehow he

tricked the system, he tricked the react

server to get access to this

constructor. And when it gets access to

this constructor, so when it does this

right, get access to this constructor.

So it gets access to this function

constructor, right? It gets access to

this function constructor like this,

right? This function constructor. Now,

whatever command you pass in inside

this, it will execute, right? Whatever

command you will pass inside it will

execute. Now according to the flight

protocol whatever you pass inside this

prefix becomes the part of the

constructor. So this code basically from

the prefix goes inside this function

constructor basically. Let me just show

you how it goes. So basically this is

the function constructor. So it goes

like this right. So basically inside the

function sorry yes so this is the

function constructor. So basically it

goes inside the function constructor

whatever the code you will see goes

inside the function constructor and when

it goes inside the function constructor

it just executes the code blindly.

There were you know this was not a very

easy vulnerability to find. There were a

lot of missing pieces over here. First

of all you know proper deserialization

and sanitization is required which was

missed. The second part is there was a

self-referencing loop, right? It was it

can refer to itself, right? It can it

can just, you know, reference to itself.

This is also a bad thing. And JavaScript

ducking again if it if it looks like a

duck, it quacks like a duck, then it

must be a duck. This is not true. You

should have checks in place for this.

But again, now you know when you

retrospect things, then you can give a

lot of advices. But somebody who has

built this flight protocol is again a

brilliant, right? Brilliant genius,

right? This protocol is very very

amazing. No doubts about it. But again,

vulnerabilities can happen and if you

are using JavaScript, then you know how

dynamic JavaScript is, right? I have

covered that a lot in Namaste JavaScript

already. Um, so these type of things

happen. But this was the code that

actually got exploited. I would suggest

you to go through articles on the

internet, try to go through this, right?

Try to execute it yourself. then only

you will you know properly understand

what's happening over here right save it

uh okay so this was it my dear friends

so this was the code that got exploited

and somebody was able to access uh

anything on se server they can just go

inside your server right this was the

total vulnerability and if you'll see I

was just using the same thing right if

you see the payload over here I was just

using the same payload right where is

the payload okay So here it is right see

this I was using the same payload dot

then right and over here in this

response in the under uh in the prefix

section in the prefix section where is

prefix section

uh yes so in this prefix section

whatever you write will be executed. So

in the prefix section you can just you

know uh write something complicated. So

it gives you back over here also right?

But again if you just write in this

prefix section see this in this prefix

section if you write uh console.log that

will also be printed onto the you know

console right so you can do that too.

Now uh this was the you know uh from the

software engineering point of view I

wanted to explain you what is duct

typing uh how things can go wrong right

so interesting thing trust me

you know I was just diving deep into

this whole thing right I was very

curious as I told you I'm very curious

and I always ask my student to be very

curious uh you know uh always whenever

they are learning something and in my

courses also I just you know try to make

students curious. I want to dive deep

into things. I love to dive deep and

similarly I dive deep into finding out

how did react team fixed it right

because react is open source you should

see it publicly right how somebody fixed

it and so I went to you know uh react's

library and if you see the react library

over here you will see a pull request

just like we make pull request this was

the pull request where this thing was

fixed right now this is a very

interesting part and trust me you have

to see this right over here if you'll

see the pull request just go through the

comment section it is kind of like funny

also there are pl people blaming each

other and a lot of things first of all

you know when I saw this PR I was very

you know I was very curious to

understand what they fixed it then I

went on to the files changed and you

would see in this single PR there are

712 lines lines modified

trust me this is not a good engineering

practice it's not a good engineering

practice 712 lines changed.

It's it's crazy, isn't it? Generally, if

it was a big security see, it was a very

critical big security issue. Ideally,

they should create a PR which is just

fixing that issue. What React people

did, they merged a lot of commits. They

combined a lot of commits into this PR

and then just push the code. And you

know, this code is hardly readable,

right? If you will read this, you will

not understand because it is making ch

changes in like 700 lines. How will you

understand things right? So what happens

and the same thing happened with the

community also. A lot of people in the

community were you know u coming over

here to see how the react team fixed

this. So what happened uh there was a

debate also and there is a small argu

argument also which you will see over

here. Somebody also blamed the react

team. They said that okay you are

slipping in the code or the fix of this

vulnerability and you are trying to hide

things up right basically he tried to uh

say that right and then uh the react

team member got offended right he said

that okay no we are not trying to do

this it's an open sense open source

project and why would we hide things up

uh but again I slightly agree with the

point that if this was a so such a big

critical vulnerability you should have

fixed it in a separate PR not mixing it

with random code right but uh I'm not

sure if this was done intentionally or

it was just uh you know it was just a

coincidence but again this debate

happened and if you will go through this

comment section right over here uh you

will see typical de developer argument

going on right it was very fun to read

this up right so amazing thing right you

will you will see right see this there

was no sliding of any security fix the

person went through all these steps

responsibly and just read through it

right and people have disliked everybody

has disliked this even I did not like

what the you know maintainer was trying

to say over here but again it's fun to

read and the most amazing part is

everything is open source this is the

you know pros and cons of opensource

software everything is open in public

there is a security vulnerability that's

in public there is a patch which is

fixed that's in public now there are so

many security enthus enthusiast or

ethical hackers who are just seeing what

they have fixed and now they will try to

break that also right so uh it's an

interesting thing to watch over here

right uh if you talk about me I really

don't understand what's going on inside

this code trust me u I understand a

little but not that much I don't

generally understand but some things

that I definitely understand is how this

fix was made and if you'll see over here

I'll show you how that fix was made so

they basically when they were trying to

identify the object. So there is a very

important thing in JavaScript has own

property, right? Has own property inside

JavaScript, right? This is very

important parameter. So it checks

basically is this uh you know it is used

to check if a object has a specific

property as its own property or it is

inheriting from somewhere else.

Is it its own property or it is

inheriting somewhere else? Right? So

it's a very important check to make.

This check was this check was pushed

right. Uh read more about has own

property. U maybe if you want I can make

a separate video on how this

vulnerability was fixed. I can dive into

deep into things. See I can dive deep

into a lot of code also but I'm just

trying to keep uh this video as less

lengthy as possible otherwise you know

people won't watch it. I won't get watch

time. And I'm not sure how many of you

like these deep dive videos. I love to

make deep dive videos but again YouTube

does not promote these videos much right

so maybe you can just give me a like or

share this video with others comment it

down please to support my channel

because uh this video takes a lot of

time to make and u generally YouTube

does not promote such long videos right

uh because most people don't watch it

till the end so what happens YouTube

does not promote it further so it's kind

of my loss but again I love to make

these type of videos if you really like

it then do tell me in the comments if I

should make these dive deep videos or I

can just cover all of this in like 5

minutes video also but I don't do that

it's not my type um so yes so I'll just

show you uh where yes see this here

right so uh no not here yes see this so

here this was the check that they have

made in right so if the value is an

object and an has own property right

they are calling this property has own

property and They are checking if this

value is its own property then only do

that. This check basically was the most

important check and the person who fixed

it. All right. U Sebastian

uh he has also commented it down uh it's

an amazing comment over here. You can go

through it.

There is a lot of learning in these

things. And let me tell you my dear

friends if you are curious about

something go on the internet find it

out. Today we have so many resources out

there. If you have internet with you,

just go to React's library, right? Just

go to Facebook/ React on GitHub and just

explore the React code. See, if there's

a vulnerability, it must be there on

that code. If there is a fix, there must

be there. If there is a fix in the npm

package, then it must be on the npm

library as well. Yes, I can show you

that also that what did they fix inside

the npm package? They just bumped up

these dependencies. lot of things you

can just learn out of curiosity. So just

be curious try to find things out. I

went ahead I found out where was the PR

that was merged because they are also

following the same thing that we are

doing in the companies right uh if there

is a bug in react because this is again

a code base right this is a react

codebase if there is a bug it must be

there in some PR over here isn't it it

must be there in some PR over here so

just go and find it out and if you want

to see how they fix the other two bugs

you can find that out also everything is

available on over here right uh I just

wanted to cover this major bug because

this was the most important one and the

other bugs other two vulnerabilities

that were found was also inside react

server components only kind of like

exploiting things similarly so be

curious try to learn that's the most

important thing

now

amazing thing is that you know a lot of

companies AWS cloudflare versil has come

up and talked about this vulnerability

openly in public so that people can

patch things up. They have also as being

responsible cloud providers, they are

just securing their servers as well.

It's a very important thing to do that

and uh hats off to these companies and

the developer ecosystem who have just

quickly tried to find it. There have

been a lot of news where Chinese hackers

are now attacking random websites. So

stay safe and uh most of the most

important part is like even government

Indian website Indian government

websites are also being you know uh

targeted and they are very conscious

about it right they have they are very

conscious about it so that it does not

get access to think about it right if uh

how critical this is react is such an

amazing piece of software that it is

being used so much across the internet

and such a vulnerability can expose your

server as well. Right? So think about

it. Suppose an Indian government website

if they are using React somehow and

somebody got access to and I'm pretty

sure that some hackers might have

already got access to some or the other

government website uh if they are using

React or Nex.js and they would have got

the credentials of their database or

their server or something. uh things

will things will unfold slowly slowly

but this is not as uh you know simple as

it sounds it's a very critical thing the

developer ecosystem is not talking about

this as much as critical this is right

so this is very very critical and I

really uh thought that okay let me come

up and make this video because this has

not just a security vulnerability but it

is so much learning into it that every

software engineer should know what's

happening over here at least if you work

in JavaScript if you work in front end

then definitely if you work in back end

also it's related to server back end

front end both right so you should know

what's happening over here and uh

amazing thing right so it was

interesting now please if you are using

it fix it uh fix on your projects uh try

to upgrade your projects

now let me also tell you if you are

using react or nextjs how would you

update your project how would you fix

that patch? So if you go through this uh

react blog they have given you uh what

all things you need to do if you are on

next version 15.0.x so you have to run

this command npm install next 15.0.7 0.7

if you are on 15.1 so go to 15.1.11 and

similarly you can just see which

versions you need to bump up to

similarly you can find these instruction

for react also if you are using nexjs

then you can go to the you know nextjs

blog itself right if you'll go to nexjs

website itself right if you go to nexjs

they are just on the top mentioning that

okay there is a security advisory

reacttoshell vulnerabilities that has

been found so find out more about it go

over there and just fix they are just

showing you which versions are there

which has fixed it. So if you are on

15.4.x so basically move it to 15.4.10

uh just do it right. Basically these are

the commands to do it. Similarly, you

can do it u on all the uh other places

also right if you are using react if you

are using uh some other versions just go

to the official documentation everything

in mentioned over here right u so yes

that's all over here to fix it

and please tell me if you like this dive

deep video or not I could have made a

very small video initially I was

thinking that okay let me make a quick

video out out there. You know, I got to

know about this vulnerabilities just

last week and I did not intend to make a

video on it but then today was Sunday

and I thought that okay, let me dive

deep into this uh vulnerability and I

found out that this vulnerability is so

interesting that it deserves a video. So

that's why I came over here and made a

dive deep video into it and shown you

how to actually you know uh how you

actually can get access to the server of

somebody's right. So interesting thing.

Thank you so much. If you're watching

till the end, please like the video.

Please subscribe to the channel if you

haven't already. And I'll keep on coming

up with more videos such like that.

Thank you so much. Bye-bye. And namaste.