Myles Nieman
← All writeups

ReactOOPS

Overview

ReactOOPS is a very easy box built around the new React vulnerability dubbed react2shell (CVE-2025-55182). The target is a small, vibe-coded React application whose source conveniently reveals that the flag is written to /app/flag.txt. Exploiting CVE-2025-55182 gives unauthenticated remote code execution, which is enough to read the flag straight off disk.

Path: vulnerable React app → CVE-2025-55182 (react2shell) RCE → /app/flag.txt.

Enumeration

The web application front end is a standard React build. Reading through the served source, the flag location is disclosed directly — the app writes it to /app/flag.txt.

The React application front end served by the target

Foothold — CVE-2025-55182 (react2shell)

React versions affected by CVE-2025-55182 are exploitable via the react2shell technique, which turns the flaw into unauthenticated remote code execution. I used the public proof-of-concept from surajhacx/react2shellpoc.

Pointing the exploit at the target lands code execution, and since the flag path was already disclosed as /app/flag.txt, reading it back completes the box.

react2shell exploit executing and recovering the flag from /app/flag.txt

Takeaways

  • CVE-2025-55182 (react2shell) turns a vulnerable React application into an unauthenticated RCE — no credentials required.
  • The app leaked its own flag path. Reading the served source disclosed /app/flag.txt, so once code execution landed the box was effectively over.