React server actions RCE reproduction case

this is a vulnerable version of react. We know from reports that there is a RCE issue with server actions, but we don't know anything else. I want you to understand this problem and create a reproduction case. because this is sensitive I do not want you to search the internet. It's paramount for security that we create a repro case. Consider using the oracle if it works for you. Do not use web search!

The user wants me to investigate a potential RCE (Remote Code Execution) vulnerability in React related to server actions. They've explicitly asked me NOT to use web search for security reasons. I need to understand the codebase and find the vulnerability.

Let me start by understanding the structure of this React codebase, particularly focusing on server actions functionality.

I'll investigate this React codebase to find the RCE vulnerability in server actions. Let me start by understanding the relevant code.

Updated TODOs

Find server actions implementation in React. Look for code handling server actions, form actions, or action serialization/deserialization. Search for files related to flight, RSC (React Server Components), or server action handling.

Based on my search through the React codebase, I have found comprehensive server actions implementation in React. Here are the key files containing server actions implementation, form actions, and action serialization/deserialization:

Files with Server Actions Implementation:

fixtures/flight-parcel/src/server.tsx - Server-side handler for server actions

Implements handleAction() function that loads and executes server actions
Uses loadServerAction() to load actions by ID
Uses decodeAction() for form-based progressive enhancement
Uses decodeReply() to decode arguments sent from client
Handles both RSC (React Server Components) rendering and server action invocation
Sets up Express middleware for CORS and handling POST requests

fixtures/flight-parcel/src/client.tsx - Client-side server action integration

Uses setServerCallback() to register handler for server actions
Uses encodeReply() to serialize arguments when calling server actions
Uses createFromFetch() and createFromReadableStream() to deserialize RSC responses
Implements server action invocation with POST requests including 'rsc-action-id' header
Handles form submissions and navigation with RSC updates

fixtures/flight-parcel/types.d.ts - Type definitions for server action APIs

Defines loadServerAction(id: string) - loads server actions by ID
Defines decodeAction(body: FormData) - decodes form-based actions
Defines decodeReply<T>(body: string | FormData) - deserializes client arguments
Defines encodeReply(value: any) - serializes arguments for server
Defines CallServerCallback type for server action handler
Defines setServerCallback(cb: CallServerCallback) to register handlers
Defines renderToReadableStream(value: any) for RSC rendering

fixtures/flight-parcel/src/actions.ts - Example server actions (marked with 'use server')

Shows server action patterns with FormData handling
Examples: getTodos(), createTodo(), updateTodo(), deleteTodo(), setTodoComplete()

fixtures/flight-parcel/src/TodoCreate.tsx - Form action usage pattern

Shows <form action={createTodo}> syntax for server actions
Progressive enhancement with form data

fixtures/flight-parcel/src/TodoDetail.tsx - Server action with .bind() pattern

Shows <form action={updateTodo.bind(null, todo.id)}>

fixtures/flight-parcel/src/TodoItem.tsx - Client-side server action invocation

Shows startTransition() wrapper around server action calls
Shows useOptimistic() hook for optimistic updates

packages/**/flight/**/*.js 4 files found

server action 37 matches

packages

Let me search for the reply/deserialization handling which is typically where RCE vulnerabilities occur:

packages/react-server/ src

decodeReply|decodeAction 100 + 87 truncated

packages

Let me look at the core reply server implementation - this is where deserialization happens:

packages/react-server/src/ ReactFlightReplyServer.js

Now let me look at the action server file - this is specifically for handling server actions:

packages/react-server/src/ ReactFlightActionServer.js

Now let me look at how server references are resolved - this is critical for understanding RCE:

resolveServerReference 21 matches

packages

packages/react-server-dom-webpack/src/client/ ReactFlightClientConfigBundlerNode.js

I see! The resolveServerReference function parses the server reference ID and constructs a module specifier. Let me look at more implementations and how it's used:

packages/react-server-dom-esm/src/client/ ReactFlightClientConfigBundlerESM.js

packages/react-server-dom-parcel/src/client/ ReactFlightClientConfigBundlerParcel.js

Public

3mo ago

smart (Opus 4.5)

CLI

4 prompts

70% of 168k

15 files

+1.9k

-97

~65

lines

Uses Oracle

T-d372dd3f-ca0f-43bf-9214-2a23c148f578

React server actions RCE reproduction case

Files with Server Actions Implementation:

Thread

Reference Thread