React.js RCE: How Exploits Happen & How to Prevent
Why “RCE in React” is a Real Risk
React runs in the browser, but teams often pair it with Node.js (SSR/APIs), third-party packages, and build tools. Attackers abuse these touchpoints to turn a simple bug into Remote Code Execution (RCE) on the server, the CI runner, or even in hybrid shells like Electron. This guide explains the main paths and how to stop them. For more security insights, see our blog: Pentest Testing Blog.
How RCE Reaches React Projects
-
DOM XSS → Code Execution
Untrusted HTML +dangerouslySetInnerHTMLlets attackers run arbitrary JS, which can pivot to RCE in Electron or backend bridges.
// ❌ Vulnerable: untrusted HTML dropped into the DOM
export default function Post({ html }) {
return <div dangerouslySetInnerHTML={{ __html: html }} />;
}
// ✅ Safer: sanitize first
import DOMPurify from 'dompurify';
export function SafePost({ html }) {
const clean = DOMPurify.sanitize(html, { USE_PROFILES: { html: true } });
return <div dangerouslySetInnerHTML={{ __html: clean }} />;
}
Screenshot of our Free Website Vulnerability Scanner tool page
 |
| Screenshot of the free tools webpage where you can access security assessment tools. |
Supply-Chain (npm) → Build/Runtime RCE
A malicious package script (e.g.,postinstall) or compromised dependency can execute system commands during install or build. Lockfile hygiene and provenance checks are critical.
# ✅ Lock your tree
npm ci
npm audit --production
npx npm-why <pkg>SSR/Template Injection → Server RCE
Rendering untrusted strings in Node can become code execution when unsafe APIs are exposed.
// ❌ Dangerous SSR helper
app.get('/page', (req, res) => {
const { template } = req.query; // attacker-controlled
res.send(renderToString(eval(template))); // never eval()
});
// ✅ Safe render (whitelist components)
const templates = { home: <Home/>, about: <About/> };
app.get('/page', (req, res) => {
const key = String(req.query.template || 'home');
const view = templates[key] ?? templates.home;
res.send(renderToString(view));
});Sample assessment report generated by our free tool to check Website Vulnerability
 |
| Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities. |
-
Prototype Pollution → Unexpected Exec Paths
Polluting objects that later reach templating or command layers can open RCE chains. Always deep-clone and validate merge inputs.
// ✅ Harden merges
import structuredClone from '@ungap/structured-clone';
function safeMerge(a, b) {
const A = structuredClone(a);
const B = structuredClone(b);
return Object.assign({}, A, B); // or a vetted deep-merge that guards __proto__
}
Prevention Checklist (Copy/Paste)
-
Avoid
dangerouslySetInnerHTML; if unavoidable, sanitize + CSP (script-src 'self'+ nonces). -
Pin dependencies, review diff on updates, enable
npm ci, provenance/SLSA if possible. -
Never
evalor run dynamic code on the server; whitelist SSR views. -
Validate/encode all inputs; deep-clone before merges; block
__proto__and constructor keys. -
Run SCA/SAST in CI; scan staging with our free tool: Website Security Checker.
Managed Services That Close the Gaps
Managed IT Services
24/7 patching, backups, and monitoring so exploitable misconfigs don’t slip into prod.
๐ https://www.pentesttesting.com/managed-it-services/
AI Application Cybersecurity
Threat modeling and red-teaming for LLM features that touch your React stack and APIs.
๐ https://www.pentesttesting.com/ai-application-cybersecurity/
Offer Cybersecurity to Your Clients
Agencies/MSPs: white-label audits, pentests, and continuous scanning.
๐ https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/
Keep Learning & Get Alerts
-
Read more on our blog: Pentest Testing Corp. Blog
-
Subscribe on LinkedIn: https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=7327563980778995713
Comments
Post a Comment