Share
## https://sploitus.com/exploit?id=4F1E309F-20C6-5D5F-B4F0-6BD9723A6C6E
# GitHub CVE Scanner
> ๐ Quickly scan GitHub repositories for critical React and Next.js RSC vulnerabilities
[](LICENSE)
## Overview
A browser-based scanner that checks all GitHub repositories for known security vulnerabilities in React Server Components:
| CVE | Package(s) | Severity | Description |
|-----|------------|----------|-------------|
| **CVE-2025-55182** | `react`, `react-dom`, `react-server-dom-webpack` | Critical | React RSC "Flight" protocol RCE |
| **CVE-2025-66478** | `next` | Critical | Next.js RSC unauthenticated RCE |
**No installation required** โ just paste in your browser console.
## Quick Start
1. Navigate to any GitHub page (e.g., `https://github.com/yourusername`)
2. Open DevTools (`F12` or `Ctrl+Shift+I`)
3. Go to the **Console** tab
4. Copy [`script.js`](./script.js), paste, and press Enter
## Authentication
When prompted, choose your scan mode:
| Option | Access | Requirements |
|--------|--------|--------------|
| **Cancel** | Public repos only | None |
| **OK** | Public + Private | [Personal Access Token](#creating-a-pat) |
### Creating a PAT
1. Visit [github.com/settings/tokens/new](https://github.com/settings/tokens/new)
2. Name: `CVE Scanner`
3. Scope: `repo` (Full control of private repositories)
4. Generate and copy the token
> โ ๏ธ **Security**: Treat your PAT like a password. Never commit or share it.
## Vulnerability Reference
### CVE-2025-55182 (React)
| Package | Vulnerable | Patched |
|---------|------------|---------|
| `react` | 19.0.0 | 19.0.1+ |
| `react-dom` | 19.0.0 | 19.0.1+ |
| `react-server-dom-webpack` | 19.0.0 | 19.0.1+ |
### CVE-2025-66478 (Next.js)
| Version Range | Vulnerable | Patched |
|---------------|------------|---------|
| 13.x | 13.4.0 โ 13.5.8 | 13.5.9 |
| 14.x | 14.0.0 โ 14.2.24 | 14.2.25 |
| 15.x | 15.0.0 โ 15.1.2 | 15.1.3 |
## Features
- โ
Auto-detects username from current URL
- โ
Optional PAT for private repository access
- โ
Paginated fetching for large accounts
- โ
Clean console output with summary table
- โ
Handles edge cases gracefully
- โ
Read-only โ never modifies repositories
## Example Output
```
๐ GitHub CVE Scanner
Checking: CVE-2025-55182 (React RSC) & CVE-2025-66478 (Next.js RSC)
๐ค username | Mode: Public + Private
๐ฆ Fetching repositories...
๐ 42 repositories found
๐ Scanning... (click to expand)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
RESULTS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโ
โ (index) โ Repo โ Next โ React โ ReactDOM โ RSCWebpack โ Status โ
โโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโค
โ 0 โ 'my-nextjs-app' โ '14.1' โ '18.2' โ '18.2' โ '-' โ 'โ ๏ธ CVE-2025-66478' โ
โ 1 โ 'react-demo' โ '-' โ '19.0' โ '19.0' โ '-' โ 'โ ๏ธ CVE-2025-55182' โ
โ 2 โ 'safe-project' โ '15.2' โ '19.1' โ '19.1' โ '-' โ 'โ
Safe' โ
โโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโ
๐ Summary:
Total repos: 42
With package.json: 38
Skipped: 4 (no package.json)
โ ๏ธ 2 vulnerable repo(s) found!
โ Scan complete.
```
## Why This Matters
CVE-2025-55182 and CVE-2025-66478 allow **unauthenticated remote code execution** through the React Server Components "Flight" protocol. These are critical vulnerabilities requiring immediate patching.
## Contributing
Contributions welcome! Ideas for future enhancements:
- Organization-wide scanning
- CSV/JSON export
- Bookmarklet version
- GitHub Actions integration
Open an issue or submit a PR.
## License
[MIT](LICENSE)