A security researcher stumbled onto React2Shell, a critical remote code execution vulnerability in React's Flight protocol, while trying to understand how Next.js Server Functions work. Reported to Meta on November 30, 2025, the flaw earned a CVE identifier and patch within days—though finding it required reverse-engineering a protocol with almost no public documentation.

Flight handles complex JavaScript objects between client and server, supporting Date, BigInt, and Map types. The vulnerability came from Flight allowing references to inherited properties like Number.prototype.toString, letting attackers place malicious functions on controllable objects. Vercel founder Guillermo Rauch called this "a glaring omission of a safety check."

TypeScript annotations gave developers a false sense of safety not enforced at runtime. Attackers could send objects with malicious functions via Flight payloads, exploiting string concatenation or replaceAll calls to execute arbitrary server-side code. The fix closed off these vectors entirely.