React2Shell Scanner & PoC

Security tools for detecting CVE-2025-55182 (React2Shell) - a critical Remote Code Execution vulnerability affecting React Server Components and Next.js applications.

Vulnerability Overview

Attribute	Details
CVE ID	CVE-2025-55182 / CVE-2025-66478
CVSS Score	10.0 (Critical)
Impact	Unauthenticated Remote Code Execution
Affected	React 19.x, Next.js 15.x/16.x with App Router
Discovered By	Lachlan Davidson
Disclosure Date	December 3, 2025

What is React2Shell?

React2Shell is a critical vulnerability in the React Server Components (RSC) "Flight" protocol that allows attackers to execute arbitrary code on the server by sending a specially crafted HTTP request - no authentication required.

• Default configurations are vulnerable
• Near 100% exploitation success rate
• Actively exploited in the wild

Installation

# Clone the repository
git clone https://github.com/yourusername/react2shell-scanner.git
cd react2shell-scanner

# Install dependencies
pip install requests

Tools Included

1. Scanner (react2shell_scanner.py)

Safe vulnerability detection tool for scanning Next.js applications.

# Scan single target
python react2shell_scanner.py -u https://target.com

# Scan multiple targets
python react2shell_scanner.py -l targets.txt

# Verbose output
python react2shell_scanner.py -u https://target.com -v

# JSON output
python react2shell_scanner.py -u https://target.com --json

# Save results
python react2shell_scanner.py -l targets.txt -o results.json

2. PoC (react2shell_poc.py)

Proof of Concept for authorized security testing.

# Safe vulnerability check (no code execution)
python react2shell_poc.py -u https://target.com --safe-check

# Verify RCE path is reachable
python react2shell_poc.py -u https://target.com --rce-check

# Dump environment variables (requires authorization)
python react2shell_poc.py -u https://target.com --env-dump

# Execute custom command (requires authorization)
python react2shell_poc.py -u https://target.com --exec "whoami"

Example Output

╔════════════════════════════════════════════════════════════════╗
║   React2Shell PoC (CVE-2025-55182 / CVE-2025-66478)            ║
║   For Authorized Security Testing Only                         ║
╚════════════════════════════════════════════════════════════════╝

[*] Target: https://vulnerable-app.com
[*] Mode: Safe vulnerability detection (no code execution)
[*] Checking if target is Next.js...
[+] Next.js application detected
[*] Sending detection payload...

[+] Results:
    HTTP Status: 500
    Content-Type: text/x-component
    Error Digest: Found

[!] VULNERABLE - React2Shell (CVE-2025-55182) detected!

How Detection Works

The scanner sends a safe detection payload that:

1. Triggers the vulnerable deserialization path
2. Causes a specific error response (HTTP 500 with E{"digest"...})
3. Does NOT execute any code on the target

Vulnerability Indicators:

• HTTP 500 response status
• E{"digest" in response body
• text/x-component content type

Remediation

If your application is vulnerable:

Quick Fix

npx fix-react2shell-next

Manual Upgrade

Framework	Vulnerable	Patched
Next.js 14.x	< 14.2.35	14.2.35+
Next.js 15.0.x	< 15.0.5	15.0.5+
Next.js 15.1.x	< 15.1.9	15.1.9+
Next.js 15.2.x	< 15.2.6	15.2.6+
React 19.x	19.0.0, 19.1.0, 19.1.1, 19.2.0	19.0.1, 19.1.2, 19.2.1+

Post-Patch Actions

1. Rotate all secrets and API keys
2. Review logs for suspicious POST requests with Next-Action header
3. Check for unauthorized access or data exfiltration

Disclaimer

FOR AUTHORIZED SECURITY TESTING AND EDUCATIONAL PURPOSES ONLY

• Only scan systems you own or have explicit written permission to test
• Unauthorized access to computer systems is illegal
• The authors are not responsible for any misuse or damage caused by these tools

References

• React2Shell Official Site
• Vercel Security Bulletin
• NVD - CVE-2025-55182
• Wiz Deep Dive
• Datadog Analysis
• Trend Micro Research

License

MIT License

---

Stay Secure - Patch Your Applications!