ReactOOPS
Overview
ReactOOPS is a very easy box built around the new React vulnerability
dubbed react2shell (CVE-2025-55182). The target is a small,
vibe-coded React application whose source conveniently reveals that the flag is
written to /app/flag.txt. Exploiting CVE-2025-55182 gives unauthenticated
remote code execution, which is enough to read the flag straight off disk.
Path: vulnerable React app → CVE-2025-55182 (react2shell) RCE → /app/flag.txt.
Enumeration
The web application front end is a standard React build. Reading through the
served source, the flag location is disclosed directly — the app writes it to
/app/flag.txt.

Foothold — CVE-2025-55182 (react2shell)
React versions affected by CVE-2025-55182 are exploitable via the react2shell technique, which turns the flaw into unauthenticated remote code execution. I used the public proof-of-concept from surajhacx/react2shellpoc.
Pointing the exploit at the target lands code execution, and since the flag path
was already disclosed as /app/flag.txt, reading it back completes the box.

Takeaways
- CVE-2025-55182 (react2shell) turns a vulnerable React application into an unauthenticated RCE — no credentials required.
- The app leaked its own flag path. Reading the served source disclosed
/app/flag.txt, so once code execution landed the box was effectively over.