Skip to content
Dashboard

Our $1 million hacker challenge for React2Shell

CTO, Vercel

Copy link to headingWhat we are defending against

{
0: {
status: "resolved_model",
reason: 0,
_response: {
_prefix: "console.log('☠️')//",
_formData: {
get: "$1:then:constructor",
},
},
then: "$1:then",
value: '{"then":"$B"}',
},
1: "$@0",
}

Example PoC of the React2Shell exploit

Blocked exploit attempts in the first 72 hours after public disclosureBlocked exploit attempts in the first 72 hours after public disclosure
Blocked exploit attempts in the first 72 hours after public disclosure
Blocked exploit attempts over the following weekBlocked exploit attempts over the following week
Blocked exploit attempts over the following week

Copy link to headingThe $50k bounty

Copy link to headingSeawall: Hardening our WAF

Copy link to headingAdding to our defense-in-depth strategy

Copy link to headingStopping the most sophisticated bypasses

Copy link to headingRecursive UTF encoding

Copy link to headingAccessing constructor without the colon

Copy link to headingHelping customers upgrade: Security as a product experience

Copy link to headingLooking ahead

Copy link to headingCredits

Ready to deploy?