Share
## https://sploitus.com/exploit?id=1C7F349B-8114-5547-AEC5-7B3C5F25CA5C
# CVE-2025-55182 Scanner
A proof-of-concept scanner for **CVE-2025-55182**, a critical unauthenticated Remote Code Execution (RCE) vulnerability in React Server Components (RSC).
## Overview
On December 3, 2025, a critical vulnerability was disclosed affecting React 19.x and Next.js applications using React Server Components. The flaw exists in the RSC "Flight" protocol's deserialization logic, allowing attackers to execute arbitrary code on the server via crafted HTTP requests.
### Severity
| Attribute | Value |
| -------------- | ------------------------------ |
| CVE | CVE-2025-55182 |
| CVSS | Critical |
| Attack Vector | Network |
| Authentication | None |
| Exploitation | Actively exploited in the wild |
### Impact
- Unauthenticated Remote Code Execution
- Full server compromise
- Credential harvesting from environment variables
- Cloud metadata exfiltration
- Lateral movement within infrastructure
## Affected Versions
| Product | Vulnerable Versions | Patched Versions |
| -------------------- | ----------------------------- | ------------------------------------------------------ |
| react-server-dom | 19.0.x, 19.1.x, 19.2.x | 19.0.1, 19.1.2, 19.2.1 |
| Next.js (App Router) | 14.3.0-canary.77+, 15.x, 16.x | 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
## Usage
### Single Target Scan
```bash
go run ./cmd/main.go -t https://example.com
```
### Single Target with Interactive Shell
```bash
go run ./cmd/main.go -t https://example.com -shell
```
### Batch Scan from File
```bash
go run ./cmd/main.go -f targets.txt -c 20
```
### Export Results
```bash
go run ./cmd/main.go -f targets.txt -json results.json -csv results.csv
```
### Options
| Flag | Description | Default |
| ------------------ | -------------------------------------- | ------- |
| `-t, -target` | Single target URL | |
| `-f, -file` | File containing target URLs | |
| `-c, -concurrency` | Number of concurrent scanners | 10 |
| `-timeout` | HTTP timeout in seconds | 15 |
| `-json` | Export results to JSON file | |
| `-csv` | Export results to CSV file | |
| `-q, -quiet` | Suppress banner and progress | false |
| `-s, -shell` | Interactive shell on vulnerable target | false |
## Output Example
```
React2Shell Scanner v1.0.0
CVE-2025-55182 | React Server Components RCE
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[+] VULN https://app.example.com/ 142ms
[-] SAFE https://api.example.com/ 203ms
[!] ERROR https://internal.example.com/ (timeout) 15000ms
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
SCAN COMPLETE
Targets scanned: 3
Vulnerable: 1 (33%)
Safe: 1
Errors: 1
Duration: 15.4s
Avg response: 5115ms
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
VULNERABLE TARGETS
1. https://app.example.com/
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
REMEDIATION
Upgrade to patched versions:
Next.js:
15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
react-server-dom:
19.0.1, 19.1.2, 19.2.1
```
## Technical Details
The vulnerability exists in the RSC "Flight" protocol's handling of serialized payloads. When processing specially crafted multipart form data, the server fails to properly validate the payload structure, allowing prototype pollution that leads to arbitrary code execution.
### Attack Vector
1. Attacker sends malformed RSC payload via POST request
2. Server deserializes payload without proper validation
3. Prototype pollution allows constructor access
4. Arbitrary JavaScript executes in Node.js context
5. Command output exfiltrated via redirect header
### Detection
Look for POST requests containing:
- `Next-Action` header
- Multipart form data with `__proto__` references
- Unusual `X-Action-Redirect` responses
## Remediation
1. **Immediate**: Upgrade to patched versions listed above
2. **WAF Rules**: Block requests containing `__proto__` in body
3. **Monitoring**: Alert on suspicious `Next-Action` header patterns
4. **Network**: Restrict outbound connections from Next.js servers
## Disclaimer
**INTERNAL USE ONLY**
This tool is intended for authorized security testing only. Use against systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
## References
- [Wiz Research Advisory](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)
- [React Security Bulletin](https://react.dev/blog)
- [Vercel Advisory](https://vercel.com/security)
## License
Internal use only. Not for distribution.