React2Shell Audit is a lightweight, recursive Bash script designed to detect local Next.js and React Server DOM installations vulnerable to CVE-2025-55182 (React2Shell) and CVE-2025-66478.
React2Shell is a critical remote code execution (RCE) vulnerability in React Server Components (RSC). It allows unauthenticated attackers to execute arbitrary code on the server via the RSC "Flight" protocol.
This tool helps developers and security engineers instantly audit their local development environment or CI/CD pipelines to ensure their dependencies are patched.
- Recursive Scanning: Automatically finds all projects in a monorepo (skips
node_modulesto ensure speed). - Deep Version Inspection: checks the actual installed version in
node_modulesrather than the vague ranges inpackage.json. - Branch-Aware Logic: Correctly differentiates between release lines (e.g., it knows
19.0.1is safe for the 19.0 branch, while19.1.0is vulnerable). - Next.js Canary Detection: Flags dangerous Next.js 14.x Canary builds that introduced the vulnerability.
- Zero Dependencies: Runs on standard Bash with no external npm packages required (optional
jqsupport for higher precision).
- This script implements the detection logic based on the official advisory. It uses a "Matrix Match" strategy rather than a simple version comparison to account for parallel release lines.
- Contextual Analysis: It iterates through every sub-project in your repository.
- Branch Matching: It identifies which "minor" version branch you are using (e.g., 19.0.x vs 19.2.x).
- Patch Verification: It verifies if your installed patch version meets the specific requirement for that branch.
git clone https://github.com/hamm0nz/react2shell-audit.git
cd react2shell-audit
chmod +x scan.sh
./scan.shStarting Recursive Scan for React2Shell...
---------------------------------------------------
Checking: ./apps/legacy-dashboard
react-server-dom-webpack: [VULNERABLE] 19.1.0 (Update to >= 19.1.2)
next: [VULNERABLE] 15.1.3 (Update to >= 15.1.9)
---------------------------------------------------
Checking: ./apps/marketing-site
next: [SAFE] 15.1.9
---------------------------------------------------
Scan Complete.This tool is for educational and audit purposes. Always refer to official advisories from Vercel and Meta for the most up-to-date patch information. The authors are not responsible for missed vulnerabilities.