Heuristic Scanner for React Server Components (RSC) Vulnerabilities — including React2Shell-style behavior (CVE-2025-55182)
react2shell_detector.py is a safe, non-invasive security scanner designed to detect systems potentially exposed to React Server Components (RSC) deserialization vulnerabilities — including the React2Shell class of issues affecting React 19 and certain Next.js server configurations.
This tool does not perform exploitation, and instead relies on a multi-signal heuristic engine:
- RSC feature detection
- Header & framework fingerprinting
- Next.js version inference
- RSC endpoint discovery
- Digest/parser error behavior
- Server-side RSC probing (safe mode)
It is suitable for:
- Application Security teams
- Penetration testers
- Bug bounty hunters
- CI/CD and SDLC security gates
- Security research labs
This scanner performs benign RSC probes only.
Use it only on systems you own or are explicitly authorized to test.
Unauthorized scanning may violate laws or organizational policies.
- Scan one URL or bulk targets from a
.txtlist - Multi-threaded scanning
- JSON export for CI / dashboards
- Detects:
- RSC content-type exposure
- Next.js & React version fingerprints
- RSC endpoint behavior
- Digest / parser anomalies
- RSC-induced 5xx patterns
- Confidence scoring (
low → very_high) - Clean CLI interface
- Designed for AppSec program integration
Clone the repository:
git clone https://github.com/<yourname>/react2shell-detector.git
cd react2shell-detector
---
## Usage
python react2shell_detector.py -u https://example.com
or
python react2shell_detector.py -f targets.txt
or
python react2shell_detector.py -f targets.txt -t 20