Detection for CVE-2025-55182 / CVE-2025-66478 – React Server Components / Next.js
This repository contains a Nmap Scripting Engine (NSE) script written in Lua designed to safely detect the critical vulnerability known as React2Shell, affecting React Server Components (RSC) and React Server Actions (RSA) implementations—including many Next.js deployments.
The detection method uses a non-intrusive side-channel technique based on server-side error behavior when handling malformed React Flight payloads. No exploitation, no code execution, and no unsafe operations are performed.
React2Shell (CVE-2025-55182 / CVE-2025-66478) is a critical design flaw in React Server Components pipelines that can allow:
Unauthorized access to internal component references
Arbitrary property access
Potential Remote Code Execution (RCE) under specific frameworks
Server-side data leakage and execution flow manipulation
The vulnerability is triggered when React attempts to resolve crafted React Flight references such as:
["$1:aa:aa"]On vulnerable servers, this produces a 500 error containing the characteristic pattern:
E{"digest":"..."}This script detects that pattern without attempting any harmful operations.
✔ Safe & passive detection (no exploitation, no RCE attempts)
✔ Detects the high-fidelity React Flight crash signature
✔ Works on HTTP & HTTPS
✔ User-configurable paths and timeouts
✔ Automatically avoids false positives from Vercel/Netlify mitigations
✔ Output compatible with automated pipelines and SIEM ingestion
✔ Lightweight and suitable for red teaming, bug bounty, incident response & CI/CD scanning
git clone https://github.com/MoisesTapia/http-react2shell.git
cd http-react2shellPlace the file inside your Nmap scripts directory:
sudo cp http-react2shell.nse /usr/share/nmap/scripts/Update the script index:
sudo nmap --script-updatedbnmap -p80 --script http-react2shell <host>nmap -p443 --script http-react2shell \
--script-args 'react2shell.path=/'
<host>nmap -p443 --script http-react2shell \
--script-args 'react2shell.path=/api/action'
<host>nmap -p443 --script http-react2shell \
--script-args 'react2shell.path=/,react2shell.timeout=20000'
<host>nmap -iL targets.txt -p80,443 \
--script http-react2shellnmap -sV -p80,443 \
--script "http-react2shell,http-headers,http-server-header,http-security-headers" \
<host>PORT STATE SERVICE
443/tcp open https
| http-react2shell:
| Path: /login
| Scheme: auto (http/https decided by Nmap http library)
| No characteristic crash pattern observed.
| This suggests the tested endpoint is not vulnerable or is patched,
|_ but this is not a guarantee (other RSC/Server Actions paths may exist).
PORT STATE SERVICE
443/tcp open https
| http-react2shell:
| Path: /login
| Scheme: auto (http/https decided by Nmap http library)
| VULNERABLE: possible React2Shell (CVE-2025-55182 / CVE-2025-66478)
| Evidence: HTTP 500 + digest-like pattern found in response
|_ Notes: high-fidelity side-channel; verify manually and patch immediately.
PORT STATE SERVICE
443/tcp open https
| http-react2shell:
| Path: /login
| Scheme: auto (http/https decided by Nmap http library)
|_ ERROR: HTTP request failed (connection reset by peer)https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
https://github.com/sammwyy/R2SAE
Technical analysis articles & research papers on React Flight internals
This project is provided for educational, research, and defensive security purposes only. Do not scan systems you do not own or lack explicit permission to test. The maintainers are not responsible for misuse or any resulting damage.
Pull requests, improvements, and additional detection heuristics are welcome. You may contribute:
Multi-path scanning support
WAF evasion modes
Additional fingerprinting
Integration with Nmap's built-in vulns framework
If this tool helps you in red teaming, bug bounty, or defensive security, consider giving the repository a star ⭐ on GitHub!