A Chrome extension for detecting React2Shell vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in web applications.
React2Shell Detector is a browser extension that helps security researchers and web developers identify potential React2Shell vulnerabilities in web applications. The extension sends safe detection payloads to target URLs and analyzes the responses to determine if the application is vulnerable.
This project is inspired by and based on the react2shell-scanner Python script by Assetnote, reimplemented as a Chrome extension for easier browser-based scanning.
- One-Click Scanning: Scan the current tab or any URL with a single click
- Safe Detection: Uses non-destructive payloads for vulnerability detection
- Detailed Results: View HTTP headers, response bodies, and request details
- Dark Mode: Built-in theme toggle for comfortable viewing
- Modern UI: Clean, responsive interface built with React and Tailwind CSS
- Privacy-Focused: All scanning happens locally - no data is sent to external servers
The extension will be available on the Chrome Web Store soon.
-
Clone the repository
git clone https://github.com/xiaopeng-ye/react2shell-detector.git cd react2shell-detector -
Install dependencies
pnpm install
-
Build the extension
For development (with hot-reload):
pnpm dev
For production:
pnpm build
-
Load the extension in Chrome
- Open Chrome and navigate to
chrome://extensions/ - Enable Developer mode (toggle in the top-right corner)
- Click Load unpacked
- Select the build directory:
- For development build:
build/chrome-mv3-dev - For production build:
build/chrome-mv3-prod
- For development build:
- The React2Shell Detector extension should now appear in your extensions list
- Open Chrome and navigate to
-
Pin the extension (optional)
- Click the puzzle icon in Chrome's toolbar
- Find "React2Shell Detector" and click the pin icon
- The extension icon will now appear in your toolbar
-
Open the extension
- Click the React2Shell Detector icon in your Chrome toolbar
- Or use the keyboard shortcut (if configured)
-
Scan a URL
- The current tab's URL will be automatically loaded
- You can edit the URL or enter a different one
- Click the Scan button
-
Review results
- Vulnerable: The application may be vulnerable to React2Shell attacks
- Safe: No vulnerability detected
- Error: The scan encountered an error (network issue, timeout, etc.)
-
View details
- Click on the Request or Response tabs to see detailed information
- Review HTTP headers, status codes, and response bodies
- Framework: Plasmo - Modern browser extension framework
- UI: React 18 with TypeScript
- Styling: Tailwind CSS 4
- Components: Radix UI primitives
- Icons: Lucide React
- Theme: next-themes for dark mode support
react2shell-detector/
├── components/ # React components
│ ├── ui/ # Reusable UI components
│ ├── ScanForm.tsx # URL input and scan button
│ ├── ScanResult.tsx # Results display
│ └── ...
├── lib/ # Core logic
│ ├── detector.ts # Vulnerability detection logic
│ ├── payload.ts # Payload generation
│ ├── types.ts # TypeScript type definitions
│ └── utils.ts # Helper functions
├── styles/ # Global styles
├── popup.tsx # Extension popup entry point
├── background.ts # Background service worker
└── package.json # Project configuration
# Development mode with hot-reload
pnpm dev
# Production build
pnpm build
# Package for distribution
pnpm package
# Format code
pnpm prettier --write .This project uses Prettier with the following conventions:
- No semicolons
- Double quotes
- 2-space indentation
- Sorted imports (Node.js → third-party → Plasmo → local → relative)
Always format your code before committing:
pnpm prettier --write .IMPORTANT: This tool is designed for:
- Security research and authorized penetration testing
- Vulnerability assessment with proper authorization
- Educational purposes
- Defensive security measures
NOT for:
- Unauthorized testing or scanning of systems you don't own or have permission to test
- Malicious activities or exploitation
- Any illegal activities
Always obtain proper authorization before scanning any web application.
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- React2Shell Scanner - Original Python script by Assetnote (this project is based on their work)
- CVE-2025-55182
- CVE-2025-66478
This project is built upon the excellent research and work by Assetnote. The core detection logic is adapted from their react2shell-scanner Python script.
This project is licensed under the MIT License - see the LICENSE file for details.
This tool is provided for educational and authorized security testing purposes only. The authors and contributors are not responsible for any misuse or damage caused by this tool. Always ensure you have proper authorization before scanning any web application.
If you encounter any issues or have questions:
- Open an issue