Share
## https://sploitus.com/exploit?id=6059D190-899F-5599-AAF2-67C616DC8719
Chain Reaction
  


High-Performance Rust Scanner for React Server Components RCE (CVE-2025-55182 & CVE-2025-66478).


  Features •
  Installation •
  Usage •
  Advanced Capabilities •
  Detection Logic •
  Disclaimer


---

**Chain Reaction** is a state-of-the-art security scanner designed to detect critical Remote Code Execution vulnerabilities in Next.js and React Server Components (RSC). Built in Rust for maximum performance and reliability, it goes beyond simple PoC checking by implementing deep protocol fuzzing, WAF evasion, and alternative gadget chains to identify vulnerabilities in hardened environments.

Created for red teams, researchers, and large-scale attack surface management.

## Features

*   **⚡ Blazing Fast**: Asynchronous, multi-threaded architecture (Tokio) capable of interacting with thousands of targets per second.
*   **🧠 Mutation Engine**:
    *   **Protocol Fuzzing**: Generates valid RSC payloads with arbitrary, deep graph structures (e.g., recursive paths up to 8 levels) to defeat shallow WAF parsers.
    *   **Gadget Rotation**: Randomly alternates between standard `execSync` (RCE) and `fs.readFileSync` (LFI) to bypass "No-Shell" policies.
*   **🛡️ Top-Tier Evasion**:
    *   **Header Randomization**: Dynamically generates `Next-Action` IDs and request tokens to evade static string signatures.
    *   **User-Agent Rotation**: Automatically rotates between realistic browser identities.
    *   **Junk Padding**: Injects large blocks of random data to overflow WAF inspection buffers.
*   **🎯 High Fidelity Detection**:
    *   **RCE Verification**: Forces server to calculate `41*271` and reflects `11111` in `X-Action-Redirect`.
    *   **File Disclosure**: Confirms vulnerability by reading `/etc/passwd` or `win.ini` and validating content.
    *   **Side-Channel Fallback**: Detects precise crash signatures (`E{"digest"`) when active execution is blocked.
*   **� Blind Support (OOB)**: Robust callback injection (`curl`, `wget`, `ping`) for environments that suppress reflected output.

## Installation

### From Source

```bash
git clone https://github.com/joaonevess/chain-reaction.git
cd chain-reaction
cargo build --release
```

The binary will be available at `./target/release/chain-reaction`.

## Usage

### 🚀 Standard Smart Scan
Automatically attempts standard payloads and safe checks.
```bash
./target/release/chain-reaction -u https://target.com
```

### 🧬 Mutation Fuzzing (Recommended for Hard Targets)
Activates the Protocol Fuzzing engine. Generates unique, deep-nested payloads and rotates gadget chains.
```bash
./target/release/chain-reaction -u https://target.com --fuzz --fuzz-count 10
```

### 🛡️ Stealth WAF Bypass
Combines mutation, junk padding, and advanced evasion techniques.
```bash
./target/release/chain-reaction -l targets.txt --waf-bypass --waf-bypass-size 512
```

### � Blind/OOB Check
Injects a payload to ping your callback server.
```bash
./target/release/chain-reaction -u https://target.com --oob http://your-interactsh.com
```

### ⚡ Mass Pipeline Mode
Read targets from stdin and output valid hits quietly.
```bash
cat subdomains.txt | ./chain-reaction -t 100 --silent > vulnerable.txt
```

## Advanced Capabilities

### Deep Graph Fuzzing (Protocol Fuzzing)
Most WAFs inspect JSON payloads only to a shallow depth (e.g., 3-5 levels). Chain Reaction's **Mutation Engine** bypasses this by constructing recursive RSC paths like:
`$1:xc9:a4z:q21:__proto__:then`
This corresponds to a deeply nested JSON object that the server *must* traverse, triggering the exploit deep inside a structure that security tools often ignore.

### Alternative Gadget Chains
If `child_process.exec()` is blocked (common in containers), Chain Reaction automatically attempts to use `fs.readFileSync` to read sensitive files.
-   **Linux**: Targets `/etc/passwd` (Detects `root:x`)
-   **Windows**: Targets `C:\windows\win.ini` (Detects `[fonts]`)
This provides a secondary "Gold Standard" confirmation method.

## Detection Logic

Chain Reaction employs a decision engine to confirm vulnerability with zero false positives:

1.  **Reflected RCE**: Checks for `11111` in `X-Action-Redirect` (Result of `41*271`).
2.  **LFI Confirmation**: Checks for system file markers (`root:`, `[fonts]`) in headers or body.
3.  **Side-Channel**: Checks for `500 Internal Server Error` + `E{"digest"}` signature.
4.  **Blind OOB**: Triggers external network interaction.

## Options

```console
Usage: chain-reaction [OPTIONS]

Options:
  -u, --url                Target URL
  -l, --list              File containing list of targets
  -t, --threads            Number of concurrent threads [default: 50]
  -s, --silent                  Silent mode (only print vulnerable URLs)
  -o, --output            Output file for JSON results
  -k, --insecure                Disable SSL verification
  --fuzz                        Enable Protocol Fuzzing / Mutation Engine
  --fuzz-count             Number of mutated payloads per target [default: 3]
  --waf-bypass                  Enable junk data padding and advanced evasion
  --waf-bypass-size         Size of junk data in KB [default: 128]
  --oob                    OOB Interaction URL for Blind RCE tests
  --windows                     Use Windows primitives where applicable
  -v, --verbose                 Verbose output
```

## Disclaimer

This project is for educational purposes and authorized security research only. Using this tool against systems without prior permission is illegal and unethical. The authors are not creating vulnerabilities, but providing a way to detect them.

---


  Made with ❤️ for the security community.