React’s Flight Protocol Under Fire: How Two Critical Vulnerabilities Let Attackers Hijack Your Server

Listen to this Post

Featured Image

Introduction:

The foundational trust in React’s internal Flight protocol has been shattered by the disclosure of two severe vulnerabilities. These flaws, present in default configurations of popular meta-frameworks like Next.js, allow unauthenticated attackers to execute arbitrary code on the server and forge authenticated requests, leading to full server compromise. This incident underscores the catastrophic risk of exposing internal serialization systems to the public internet without robust security validation.

Learning Objectives:

  • Understand the mechanics of React’s Flight protocol and how its exposure creates an attack surface.
  • Learn to identify and mitigate CVE-2024-9060 (Remote Code Execution) and the associated request forgery vulnerability.
  • Implement defensive configurations and monitoring for RSC endpoints in production environments.

You Should Know:

1. Deconstructing the Flight Protocol: The Invisible Backchannel

The React Flight protocol is a binary wire format designed for efficient serialization of React elements and data between server components (RSC) and the client. It was intended as a private communication channel within a trusted React application boundary. However, frameworks like Next.js expose RSC endpoints (e.g., /_next/action/, /_next/rsc/) publicly to enable dynamic updates, inadvertently turning this internal backchannel into a prime attack vector. Because security tooling like WAFs cannot decode the proprietary format, malicious Flight payloads appear as benign, random data.

2. CVE-2024-9060: Arbitrary Code Execution via Malicious Deserialization

Step‑by‑step guide explaining what this does and how to use it.
The core flaw is that the Flight server deserializes untrusted client data without proper validation. An attacker can craft a specially serialized Flight payload that, when processed by the server, triggers the execution of arbitrary JavaScript code with server privileges.

Attack Simulation (Educational Purposes Only):

An attacker can use a tool like `curl` to send a malicious RSC request.

 Example structure of a probing request. The actual exploit involves a crafted serialized object.
curl -X POST https://<target>/_next/action/<action-id> \
-H "Content-Type: text/plain; charset=utf-8" \
-H "RSC-Action: <action>" \
--data-binary "@malicious_flight_payload.bin"

The malicious payload would exploit the deserialization process to run OS commands or access sensitive files.

Mitigation Step 1: Immediate Patching

Update all dependencies immediately:

 For a Next.js project using npm
npm update react@latest react-dom@latest next@latest

Verify versions
npm list react react-dom next

Required minimum versions: React 19.0.1/19.1.2/19.2.1+, Next.js 15.0.5+.

3. Request Forgery & Replay: Bypassing Authentication Boundaries

Step‑by‑step guide explaining what this does and how to use it.
The second vulnerability allows attackers to forge or replay Flight requests to invoke server actions intended for authenticated users. This bypasses authorization checks.

How an Attacker Exploits This:

  1. Using browser dev tools, an attacker intercepts a legitimate, authenticated Flight request to a server action.

2. They copy the request payload and headers.

  1. They replay this request from an unauthenticated session or modify its parameters (args in the Flight stream) to perform unauthorized operations (e.g., change another user’s data).

Mitigation Step 2: Implement Strict Action Authorization

Do not rely on the Flight endpoint’s invisibility. Explicitly authorize every server action.

// In your Next.js Server Action
import { getServerSession } from "next-auth";

export async function updateUserSettingsAction(formData) {
const session = await getServerSession();
if (!session || session.user.id !== formData.get('userId')) {
throw new Error('Unauthorized');
}
// Proceed with action
}

4. Detecting Exploitation Attempts in Your Logs

Step‑by‑step guide explaining what this does and how to use it.
Since WAFs may be blind, configure your application and infrastructure logging.

Monitor RSC Endpoint Access:

In your Next.js custom server or middleware, log all requests to RSC endpoints for unusual patterns.

// Example in Next.js middleware.ts
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
const pathname = request.nextUrl.pathname;
if (pathname.startsWith('/_next/action') || pathname.startsWith('/_next/rsc')) {
console.warn(<code>RSC Access</code>, {
path: pathname,
ip: request.ip,
userAgent: request.headers.get('user-agent'),
timestamp: new Date().toISOString(),
});
}
return NextResponse.next();
}

Linux Server Monitoring:

Use `journalctl` to watch for processes spawned by your Node.js application.

 Monitor for child processes from your Node app
sudo journalctl -u your-nextjs-service -f | grep -E "child_process|spawn"

5. Hardening Your RSC Deployment Configuration

Step‑by‑step guide explaining what this does and how to use it.

Apply defense-in-depth principles beyond patching.

Network Layer Restriction (Cloud):

Use security groups or firewall rules to limit access to the RSC endpoints from only trusted sources (e.g., your CDN, frontend VPC).

 Example AWS CLI command to update a security group (conceptual)
aws ec2 authorize-security-group-ingress \
--group-id sg-xxx \
--protocol tcp \
--port 3000 \
--cidr $(curl -s https://checkip.amazonaws.com)/32  Your deployment IP only

Environment Hardening:

Run the Next.js process with the least privileges necessary. Use a non-root user and restrict filesystem access.

 In your Dockerfile
RUN addgroup --system --gid 1001 nodejs && \
adduser --system --uid 1001 nextjs
USER nextjs

What Undercode Say:

  • Default Configurations Are Silent Killers. This exploit chain wasn’t caused by developer error but by framework defaults that exposed a powerful internal system. This reiterates a critical rule: never expose internal serialization/communication protocols without assuming they will be maliciously targeted.
  • The Scanner Blind Spot is a Growing Frontier. The fact that mainstream security tools cannot parse custom protocols like Flight creates a massive detection gap. This mandates a shift towards behavioral monitoring (unusual process spawns, anomalous data access) and stringent application-layer authorization, as network-layer defenses are insufficient.

Prediction:

This vulnerability marks a pivotal moment in full-stack JavaScript security, forcing a reevaluation of how meta-frameworks handle internal protocols. We predict a rapid shift: framework authors will move to encrypt or cryptographically sign Flight payloads by default, and the concept of “trusted boundaries” within a single application will be formally modeled. Furthermore, security tooling will scramble to add Flight protocol parsers, making RSC endpoints a first-class citizen in vulnerability scans. Expect increased scrutiny on similar patterns in other full-stack frameworks that merge server-client boundaries.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Terrasecurity Two – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky