Skip to content

Shield-Cyber/react2shell-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
hosts.example.txt
hosts.example.txt
 
 
paths.example.txt
paths.example.txt
 
 
requirements.txt
requirements.txt
 
 
scanner.py
scanner.py
 
 

Repository files navigation

React2Shell Vulnerability Scanner

A safe, non-invasive scanner for detecting React Server Components (RSC) and Next.js Remote Code Execution vulnerabilities (CVE-2025-55182 & CVE-2025-66478).

Overview

This scanner helps organizations identify whether their web services are vulnerable to the React2Shell vulnerability, which affects applications using React Server Components and Next.js. The vulnerability allows attackers to achieve remote code execution through specially crafted multipart form data.

Important: This scanner uses only safe side-channel detection methods and does not execute code on target systems.

Features

  • Safe Detection Method

    • Side-channel detection using malformed payloads
    • Detects vulnerable RSC parsing without code execution
    • Production-safe for testing live systems

  • Flexible Scanning Options

    • Single URL or bulk scanning from file
    • Multi-threaded concurrent scanning
    • Custom path testing (e.g., /_next, /api)
    • Custom header support

  • Output Options

    • Colored terminal output
    • JSON export for vulnerable hosts
    • Verbose mode for detailed analysis
    • Quiet mode for automation

Installation

Requirements

  • Python 3.9 or higher
  • pip package manager

Install Dependencies

pip install -r requirements.txt

Or install manually:

pip install requests tqdm urllib3

Usage

Basic Scanning

Scan a single URL:

python scanner.py -u https://example.com

Scan multiple hosts from a file:

python scanner.py -l hosts.txt

Advanced Options

Scan with custom paths:

python scanner.py -u https://example.com --path /_next --path /api

Scan with paths from file:

python scanner.py -u https://example.com --path-file paths.txt

Custom headers:

python scanner.py -u https://example.com -H "Authorization: Bearer token" -H "X-Custom: value"

Multi-threaded scanning:

python scanner.py -l hosts.txt -t 20

Export results to JSON:

python scanner.py -l hosts.txt -o results.json

Export all results (including non-vulnerable):

python scanner.py -l hosts.txt -o results.json --all-results

Output Control

Verbose mode (show details for all hosts):

python scanner.py -l hosts.txt -v

Quiet mode (only show vulnerable hosts):

python scanner.py -l hosts.txt -q

Disable colors:

python scanner.py -l hosts.txt --no-color

Input File Formats

Hosts File (hosts.txt)

One host per line. Lines starting with # are ignored.

https://example.com
http://test.example.org
another-site.com
# This is a comment

Paths File (paths.txt)

One path per line. Paths will be automatically prefixed with / if not present.

/_next
/api
/actions
# Comment lines are ignored

Command-Line Options

Option Description
-u, --url URL Single URL to scan
-l, --list FILE File containing list of hosts to scan
-t, --threads N Number of concurrent threads (default: 10)
--timeout N Request timeout in seconds (default: 10)
-o, --output FILE Output file for results (JSON format)
--all-results Save all results, not just vulnerable hosts
-k, --insecure Disable SSL certificate verification
-H, --header HEADER Custom header (can be used multiple times)
-v, --verbose Verbose output (show details for all hosts)
-q, --quiet Quiet mode (only show vulnerable hosts)
--no-color Disable colored output
--path PATH Custom path to test (can be used multiple times)
--path-file FILE File containing list of paths to test

Detection Logic

Safe Side-Channel Detection

The scanner uses a non-invasive detection method that:

  • Sends a specially crafted, non-malicious multipart form data payload
  • Triggers error responses in vulnerable RSC (React Server Components) parsing
  • Looks for multiple vulnerability indicators:

Detection Patterns

  1. JavaScript Error Messages

    • SyntaxError - Indicates improper JSON parsing of form data
    • Unexpected token - Suggests vulnerable RSC deserialization
    • ReferenceError / TypeError - Reveals unsafe object property access

  2. RSC-Specific Error Responses

    • HTTP 500 status code with text/x-component content type
    • RSC headers present (Vary: RSC, Next-Router-State-Tree)
    • Error digest in response body (e.g., {"digest":"..."})
    • RSC payload indicators ($@, error objects)

The scanner detects both verbose error messages (older versions) and structured RSC error responses (newer versions), ensuring comprehensive coverage across different Next.js implementations.

Important: This method does NOT execute any code on the target system. It only detects whether the system is vulnerable by observing error responses.

Example Workflows

Quick Check for Single Application

python scanner.py -u https://myapp.com

Comprehensive Organization Scan

# Create hosts file with all your domains
python scanner.py -l organization-hosts.txt -t 20 -o scan-results.json

Scanning Multiple Paths

# Create paths.txt with common Next.js endpoints
python scanner.py -l hosts.txt --path-file paths.txt -o results.json

Scanning with Authentication Headers

python scanner.py -u https://myapp.com -H "Cookie: session=abc123" -H "Authorization: Bearer token"

Interpreting Results

Vulnerable Status

The scanner will mark a host as VULNERABLE if it detects:

  • Syntax errors indicating vulnerable RSC parsing
  • Unexpected token errors in form data processing
  • Reference or type errors revealing unsafe property access
  • HTTP 500 errors with RSC-specific headers and content
  • Error digests in RSC response format
  • Characteristic error patterns from vulnerable Next.js/RSC implementations

What Does "Vulnerable" Mean?

When the scanner detects a vulnerability, it means:

  1. The server is processing malformed RSC payloads - It's accepting and attempting to parse specially crafted form data as React Server Components
  2. Improper input validation - The application doesn't properly validate multipart form data before processing
  3. Potential for RCE - In vulnerable configurations, attackers can exploit this to achieve remote code execution
  4. Prototype pollution vectors - The parsing weakness can be leveraged for prototype pollution attacks

Risk Level

  • CRITICAL: Servers showing RSC error responses are actively processing malicious payloads
  • Impact: Remote code execution, data theft, server compromise
  • Exploitability: Publicly known exploits exist

Exit Codes

  • 0: No vulnerabilities found
  • 1: One or more vulnerabilities detected

Security Considerations

  1. Permission: Only scan systems you own or have explicit permission to test
  2. Safe Detection: This scanner only uses safe side-channel detection and never executes code
  3. Rate Limiting: Adjust thread count (-t) to avoid overwhelming targets
  4. SSL Verification: Keep SSL verification enabled unless necessary for testing
  5. Production Safe: The scanner is designed to be safe for use on production systems

Mitigation

If your application is found vulnerable:

  1. Immediate Actions:

    • Update Next.js to the latest patched version
    • Review and update all React Server Components
    • Implement input validation for form data

  2. Long-term Security:

    • Enable WAF rules to block suspicious multipart payloads
    • Monitor for unusual server action requests
    • Implement security headers
    • Regular security audits

  3. References:

Disclaimer

This tool is for authorized security testing only. Unauthorized access to computer systems is illegal. The authors are not responsible for misuse or damage caused by this program.

About

Scanner to detect the presence of CVE-2025-55182 & CVE-2025-66478 on targeted web services.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages