This is a summary. The full analysis — root cause walkthrough, complete payload, exploitation framework, forensic artifacts, and patch diffing — lives at blog.deviannt.com. TL;DR: React's Flight deserializer evaluates any object with a .then method as a Promise, regardless of its actual type. An attacker poisons Object.prototype.then through a crafted multipart POST, forcing the server to execute arbitrary JavaScript via the Function constructor. The result is exfiltrated through the X-Action-Redirect HTTP header. No authentication required. Deterministic. CVSS v3.1: 10.0 (Critical). The attack surface React Server Components (RSC) stabilized in React 19 alongside Server Actions — a model where UI components execute directly on the server and communicate with the client through a custom serialization layer called the Flight protocol . When a client invokes a Server Action, it sends a multipart POST with a serialized payload. The server deserializes it, executes the action, and streams the result back.…