Full Report
When React2Shell happened, the Vercel WAF needed to block all of these exploits. To incentivize the discovery of these, they offered a $50K bounty for each unique bypass technique. This led to 156 reports and $1M being given out. This article is the learnings from that. Seawall is the internal request inspection layer of Vercel's WAF. The goal is to block malicious patterns before it reaches the application. Whenever they got a new way to bypass the WAF from a researcher they A) reproduced, B) created a test case and C) added a new rule. Most reports came within 24 hours but some came in the second 24. After that, lots of very sophisticated techniques were used. At the compute layer (I presume for hosted React applications by Vercel), they wanted to add a mitigation. Since the exploit relies on accessing constructor directly, the runtime denies access to this during React rendering. This broke the exploit path. Even with a WAF bypass, this runtime check would remove all exploitation. The article doesn't discuss every single bypass. It does go through two bypasses that come from the authors of the React2Shell exploit though. The first bypass that is discussed is around Unicode parsing. Many bypasses try to confuse the parser by replacing regular characters with the Unicode representation in JSON. By normalizing the JSON, this isn't a problem anymore. However, if you Uncode encode the Unicode multiple times, this protection no longer works. Now, the WAF will decode recursively over and over again. Most of the exploits were around the prevention of :constructor with a colon. By finding another gadget for property access that used property access and string interpolation, it was possible to use constructor instead. This shows the power of slight deviations in the original exploit. Why did they do this? To test their infrastructure against real attacks. This could not have been simulated. The bypasses to the WAF are now permanent additions to the Firewall product, making it useful for the future. Overall, a great blog post and a great campaign by Vercel.
Analysis Summary
# Incident Report: React2Shell WAF Bypass Challenge (CVE-2025-55182)
## Executive Summary
Following the disclosure of the "React2Shell" Remote Code Execution (RCE) vulnerability, Vercel launched a $1M "Hacker Challenge" to stress-test its Seawall WAF. The initiative sought to identify and patch bypass techniques before they could be exploited by malicious actors. The campaign resulted in the discovery of 20 unique bypass techniques, leading to permanent hardening of the Vercel WAF and the implementation of a new runtime-level defense-in-depth mitigation.
## Incident Details
- **Discovery Date:** December 2025 (Public Disclosure of React2Shell)
- **Incident Date:** Continuous over the weeks following disclosure
- **Affected Organization:** Vercel (Infrastructure provider) and its customers
- **Sector:** Cloud Computing / Software as a Service (SaaS)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** December 2025
- **Vector:** Exploitation of React Server Components (RSC) vulnerability.
- **Details:** The primary vector involved sending a malicious JSON payload that accessed `constructor` gadgets to trigger server-side code execution.
### Lateral Movement
- **Details:** While the incident focused on RCE at the application layer, the exploit allowed for arbitrary code execution, potentially leading to secret extraction or internal network scanning from the compromised compute instance.
### Data Exfiltration/Impact
- **Details:** Over 6 million exploit attempts were recorded. Successful exploitation would allow attackers to run unauthorized programs, extract environment secrets, and perform unauthorized network calls.
### Detection & Response
- **Detection:** Vercel identified 2.3 million attack attempts in a single 24-hour peak via the Seawall WAF.
- **Response:**
- Launched a public HackerOne bounty program offering $50,000 per unique bypass.
- Shipped 20 unique WAF updates within the first 48 hours of the challenge.
- Implemented a runtime-level check to deny access to constructors during React rendering.
## Attack Methodology
- **Initial Access:** Remote Code Execution via RSC payload injection.
- **Persistence:** Not specifically detailed, though RCE allows for web shell deployment.
- **Defense Evasion:**
- **Unicode Obfuscation:** Using Unicode representations in JSON to bypass string-matching filters.
- **Recursive Encoding:** Using multiple layers of Unicode encoding to exhaust/bypass single-pass normalization.
- **Property Access Diversion:** Using string interpolation and secondary gadgets to access the `:constructor` without using the literal colon character, bypassing specific WAF blocklists.
- **Impact:** Server-side execution of arbitrary code (`console.log('☠️')` in PoC).
## Impact Assessment
- **Financial:** $1,000,000 USD paid out in bounties to 116 researchers.
- **Data Breach:** Prevented; no confirmed customer data loss reported due to proactive mitigations.
- **Operational:** High intensity for security/engineering teams (20 updates in 48 hours).
- **Reputational:** Positive; recognized for transparency and high-stakes security testing.
## Indicators of Compromise
- **Behavioral indicators:**
- Extraordinary spikes in RSC payloads containing `_response`, `_prefix`, or `"$1:then:constructor"`.
- Payloads utilizing non-standard Unicode characters in JSON keys/values.
- Unusual property access patterns in React rendering requests.
## Response Actions
- **Containment:** Deployed Seawall WAF rules to block identified malicious patterns.
- **Eradication:** Applied runtime compute-layer blocks to prevent constructor access, rendering the exploit path broken even if the WAF is bypassed.
- **Recovery:** Continuous monitoring and collaboration with industry partners (AWS, Google, Microsoft) to share bypass techniques.
## Lessons Learned
- **WAF Limitations:** Web Application Firewalls are a necessary first line of defense but are susceptible to parser differential attacks and encoding bypasses.
- **Power of Incentives:** High-value bounties ($50K) successfully redirected sophisticated researchers from the black market to responsible disclosure.
- **Defense-in-Depth:** Relying solely on the WAF is insufficient; security must be enforced at the compute/runtime layer (denying access to sensitive objects like constructors).
## Recommendations
- **Normalize Payloads Recursively:** Ensure WAF parsers handle multi-layered encoding that may be intended to bypass single-pass normalization.
- **Runtime Hardening:** Implement language-level or framework-level restrictions on sensitive object access (e.g., prohibiting `constructor` access during response serialization).
- **Proactive Stress-Testing:** Launch targeted bug bounties following the disclosure of major vulnerabilities to identify platform-specific bypasses.