A critical Remote Code Execution vulnerability was discovered in BeValk due to its use of React 19, allowing attackers to escape Docker containers and escalate privileges.
During a routine security scan with Dymo, our automated vulnerability assessment platform detected a critical Remote Code Execution (RCE) vulnerability in BeValk, a web application running React 19.
The vulnerability, known as React2Shell, leverages specific techniques in React 19's new rendering model to escape the application's sandbox and potentially compromise the underlying server infrastructure.
The vulnerability exploits how React 19 handles certain component patterns that were previously safe. Attackers can:
This vulnerability poses a severe risk because:
The following steps are recommended:
This case highlights the risks of adopting bleeding-edge frameworks without proper security review. Our scanner detected this vulnerability automatically, demonstrating the importance of continuous security monitoring.
All findings have been responsibly disclosed to the affected organization.
This vulnerability was discovered during automated security scans performed by Dymo, our cybersecurity startup focused on continuous vulnerability assessment.
Learn more about my work and projects!