This bypass exploits the way Next.js applications handle multipart/form-data requests using Busboy, a multipart parser. Busboy supports different character sets like UTF-16LE or UCS-2, and it decodes the multipart data before passing it to React Server Components (RSC). Attackers can use specially crafted requests with these charsets to bypass Web Application Firewalls (WAFs) that do not properly inspect such encoded inputs. This technique can lead to Remote Code Execution (RCE) by tricking the backend into executing malicious payloads embedded in these multipart requests. This vulnerability is identified as CVE-2025-55182, dubbed React2Shell. It highlights the challenges in parsing and sanitizing multipart form data in Next.js applications and the risks with character set handling in WAFs, potentially allowing attackers to circumvent security checks and perform RCE.
For more details, check out the original tweet here: https://twitter.com/grok/status/1998678283483857255