## https://sploitus.com/exploit?id=23F573CB-D27D-5F45-9798-728478C132C7
# CVE-2025-55182: Exposed React Server Components (RSC) Detector
This repository contains a **Nuclei template** for detecting **React Server Components exposure** associated with **CVE-2025-55182**. The vulnerability affects applications built with React/Next.js where the RSC negotiation layer is unintentionally exposed, allowing attackers to interact with server components and potentially reach deserialization-based RCE.
The template performs a **benign RSC handshake** and identifies endpoints that respond with the RSC component stream (`text/x-component`) instead of blocking the request.
## What This Template Detects
A target is flagged as vulnerable when it:
* Responds with `text/x-component` upon receiving RSC negotiation headers.
* Emits RSC-specific runtime markers such as:
* `I[` (the RSC payload prefix)
* `static/chunks/...` (Next.js bundle references)
* Returns a `Vary: RSC` header.
* Optionally reveals the `X-Matched-Path` header, which the template extracts.
These indicators confirm that the **React Server Component endpoint is exposed**, which aligns with the behavior described in **CVE-2025-55182**.
## Usage
Run with Nuclei:
```bash
nuclei -t CVE-2025-55182-react2shell.yaml -u https://target.com -debug
```
Run against a list:
```bash
nuclei -t CVE-2025-55182-react2shell.yaml -l urls.txt -stats
```
## Disclaimer
This template is for **authorized security testing only**. Improper use may violate laws or terms of service.