## https://sploitus.com/exploit?id=735A37FF-EE6A-581B-8757-08C68F4A705A
# React RCE Vulnerability Scanner (CVE-2025-55182)
A comprehensive security scanning tool to detect **CVE-2025-55182** and **CVE-2025-66478** vulnerabilities in React and Next.js projects using React Server Components (RSC).



## ๐จ Overview
This tool scans your project for vulnerable versions of React, Next.js, and related RSC packages that are susceptible to **Remote Code Execution (RCE)** attacks. The vulnerability allows unauthenticated attackers to execute arbitrary code on your server.
> **โ ๏ธ Critical Alert:** As of December 2025, approximately **39% of cloud environments** contain instances of Next.js or React with vulnerable versions. Immediate action is required if you're using React Server Components.
## โจ Features
- ๐ **Automatic Package Detection** - Scans `node_modules` for vulnerable package versions
- ๐ **Project Structure Analysis** - Detects App Router vs Pages Router usage
- ๐ **Server Actions Scanner** - Finds `"use server"` directives in your codebase
- ๐ ๏ธ **RSC Framework Detection** - Identifies RSC-enabled frameworks (Remix, Waku, RedwoodJS, etc.)
- ๐ **Risk Assessment** - Provides clear risk conclusions (CRITICAL/MEDIUM/SAFE)
- ๐ก **Remediation Guidance** - Suggests exact commands to patch vulnerabilities
## ๐ฆ Packages Scanned
| Package | Description |
|---------|-------------|
| `react` | Core React library |
| `next` | Next.js framework |
| `react-server-dom-webpack` | RSC Webpack integration |
| `react-server-dom-parcel` | RSC Parcel integration |
| `react-server-dom-turbopack` | RSC Turbopack integration |
## ๐ Quick Start
### Prerequisites
- Node.js 16 or higher
- npm or yarn
### Installation
1. Clone this repository or download `check.js`:
```bash
git clone https://github.com/yourusername/check-react-rce-cve-2025-55182.git
```
2. Navigate to your React/Next.js project directory:
```bash
cd /path/to/your/project
```
3. Run the scanner:
```bash
node /path/to/check.js
```
### Alternative: Direct Usage
You can also copy `check.js` directly into your project and run:
```bash
node check.js
```
## ๐ Sample Output
```
===========================================================================
REACT RCE VULNERABILITY SCANNER (CVE-2025-55182)
===========================================================================
Scanning installed packages...
Starting Deep Codebase Scanning...
===========================================================================
AUDIT REPORT
===========================================================================
[CVE-2025-55182] React Vulnerability
---------------------------------------------------------------------------
react : 19.0.0 VULNERABLE (React 19.0.0 npm install react@latest react-dom@latest
> npm install next@latest
> npm update react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
```
## ๐ Understanding the Results
### Risk Levels
| Level | Description |
|-------|-------------|
| ๐ด **CRITICAL** | Vulnerable packages detected + RSC features in use. Immediate action required. |
| ๐ก **MEDIUM** | Vulnerable packages detected, but RSC not actively detected. Update recommended. |
| ๐ข **SAFE** | No vulnerable packages or using versions before RSC support. |
### Status Indicators
| Status | Meaning |
|--------|---------|
| `VULNERABLE` | Package version is affected by the CVE |
| `SAFE` | Package is updated to a patched version |
| `SAFE_CLASSIC` | Package version predates RSC (not affected) |
| `NOT INSTALLED` | Package not found in project |
| `UNKNOWN` | Unable to determine version status |
## ๐ง Patched Versions
### React (CVE-2025-55182)
| Branch | Vulnerable Versions | Patched Version |
|--------|---------------------|-----------------|
| React 19.0.x | 19.0.0 | โฅ 19.0.1 |
| React 19.1.x | 19.1.0, 19.1.1 | โฅ 19.1.2 |
| React 19.2.x | 19.2.0 | โฅ 19.2.1 |
| React 18.x and earlier | โ | Not affected (no RSC support) |
### Next.js (CVE-2025-66478)
| Branch | Patched Version |
|--------|-----------------|
| Next.js 16.0.x | โฅ 16.0.7 |
| Next.js 15.5.x | โฅ 15.5.7 |
| Next.js 15.4.x | โฅ 15.4.8 |
| Next.js 15.3.x | โฅ 15.3.6 |
| Next.js 15.2.x | โฅ 15.2.6 |
| Next.js 15.1.x | โฅ 15.1.9 |
| Next.js 15.0.x | โฅ 15.0.5 |
| Next.js 14.3.0-canary.77+ | โ ๏ธ Vulnerable (canary with Flight Protocol) |
| Next.js 14.x (stable) | Not affected |
| Next.js 13.x | Not affected |
### Not Affected
The following configurations are **NOT affected** by these vulnerabilities:
- Next.js 13.x and earlier
- Next.js 14.x stable releases
- Applications using only the **Pages Router**
- Applications running on **Edge Runtime**
- React 18.x and earlier (no RSC support)
---
## ๐ก๏ธ About the Vulnerabilities
### CVE-2025-55182 (React)
**Severity:** CRITICAL (CVSS 10.0)
**Affected Packages:**
- `react-server-dom-webpack`
- `react-server-dom-parcel`
- `react-server-dom-turbopack`
**Vulnerability Type:** Insecure Deserialization
**Description:**
A critical Remote Code Execution (RCE) vulnerability exists in the `react-server` package, which is integral to React Server Components (RSC). The flaw stems from an **insecure deserialization vulnerability** within the RSC "Flight" protocol.
The vulnerability allows an unauthenticated attacker to achieve remote code execution on the server by sending a specially crafted HTTP request to **any Server Function endpoint**. Even applications that do not explicitly implement React Server Function endpoints may be vulnerable if they support React Server Components, as the vulnerability affects default configurations.
**Attack Vector:**
- Attacker sends a specially crafted HTTP request to the server
- The React Flight protocol processes and deserializes RSC payloads in an unsafe manner
- Malicious input triggers arbitrary code execution on the server
- Proof-of-concepts have shown **near-100% reliability** against default configurations
**Impact:**
- Full server compromise
- Data exfiltration
- Access to environment variables and secrets
- Malware installation
- Lateral movement within infrastructure
**References:**
- [CVE-2025-55182 Official Record](https://vulners.com/cve/CVE-2025-55182)
- [React Security Bulletin (December 3, 2025)](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
---
### CVE-2025-66478 (Next.js)
**Severity:** CRITICAL (CVSS 10.0)
**Affected Package:** `next`
**Vulnerability Type:** Insecure Deserialization (inherited from React RSC)
**Description:**
A critical Remote Code Execution vulnerability in Next.js affects applications using the **App Router** with React Server Components. This vulnerability is the downstream manifestation of CVE-2025-55182, as Next.js inherits the flaw through its implementation of the React Flight protocol.
The vulnerability allows unauthenticated attackers to execute arbitrary code on affected servers by sending specially crafted HTTP requests that exploit the unsafe processing of RSC payloads.
**Attack Vector:**
- Targets server-side processing of RSC payloads
- Attackers craft malicious requests exploiting the Flight protocol
- When processed by the Next.js server, results in arbitrary code execution
- No authentication required
**Impact:**
- Complete server takeover
- Access to environment variables and secrets
- Database access and manipulation
- Ability to modify application behavior
- Full infrastructure compromise
**References:**
- [CVE-2025-66478 Official Record](https://vulners.com/cve/CVE-2025-66478)
- [Next.js Security Advisory](https://nextjs.org/blog/CVE-2025-66478)
---
## โ ๏ธ Other Impacted Frameworks
The React Flight protocol vulnerability affects **any framework or bundler that implements React Server Components**. If your project uses any of the following, you should verify your React packages are patched:
| Framework/Tool | Status | Notes |
|----------------|--------|-------|
| **Next.js** | โ ๏ธ Impacted | Primary framework using RSC. Update to patched versions. |
| **React Router** | โ ๏ธ Impacted | When in RSC mode, verify React packages are updated. |
| **Waku** | โ ๏ธ Impacted | Minimal RSC framework. Must use patched React versions. |
| **RedwoodJS (rwsdk)** | โ ๏ธ Impacted | rwsdk uses RSC. Ensure React packages are patched. |
| **Parcel** | โ ๏ธ Impacted | If using `@parcel/rsc`, verify React packages. |
| **Vite** | โ ๏ธ Impacted | If using `@vitejs/plugin-rsc`, verify React packages. |
| **Remix** | โ ๏ธ Potentially Impacted | If using experimental RSC features, ensure React is patched. |
### Key Takeaway
> **Any application using React Server Components is potentially vulnerable.** The core vulnerability exists in React's RSC implementation, so regardless of which framework you use, you must update the React packages (`react`, `react-dom`, `react-server-dom-*`) to the patched versions.
---
## โ๏ธ Cloud Provider WAF Protections
Major cloud providers have proactively deployed Web Application Firewall (WAF) rules to protect against these vulnerabilities. However, **WAF protection is a temporary measure and does NOT eliminate the need to patch your applications**.
### Cloudflare
| Feature | Details |
|---------|---------|
| **Status** | โ Protected |
| **Coverage** | All customers (Free, Pro, Business, Enterprise) |
| **Requirement** | Traffic must be proxied through Cloudflare WAF |
| **Action Required** | Ensure Managed Rules are enabled (Pro/Enterprise) |
| **Note** | Cloudflare Workers are inherently immune to this exploit |
Cloudflare has deployed new WAF rules to automatically block exploitation attempts for CVE-2025-55182. All customers whose React application traffic is proxied through Cloudflare are automatically protected.
**To verify protection:**
1. Log in to Cloudflare Dashboard
2. Navigate to Security โ WAF โ Managed Rules
3. Ensure rules are enabled and updated
---
### Amazon Web Services (AWS)
| Feature | Details |
|---------|---------|
| **Status** | โ Protected |
| **Rule Set** | `AWSManagedRulesKnownBadInputsRuleSet` (v1.24+) |
| **Coverage** | AWS WAF customers using managed rules |
| **Action Required** | Verify rule set version is 1.24 or later |
AWS has integrated updated rules for CVE-2025-55182 into the default version (1.24) of the AWS WAF managed rule set.
**To enable protection:**
```bash
# Verify your rule set version in AWS Console
# Security โ WAF โ Web ACLs โ [Your ACL] โ Rules
```
**Custom Rule Option:**
For immediate protection, you can deploy custom AWS WAF rules to detect and prevent exploitation attempts:
```json
{
"Name": "BlockReactRCE",
"Priority": 0,
"Statement": {
"ByteMatchStatement": {
"SearchString": "rsc-payload-exploit-pattern",
"FieldToMatch": { "Body": {} },
"TextTransformations": [{ "Priority": 0, "Type": "NONE" }],
"PositionalConstraint": "CONTAINS"
}
},
"Action": { "Block": {} }
}
```
> **Note:** Managed AWS services are generally not affected, but applications running vulnerable React/Next.js versions in your own environment should be updated immediately.
---
### Microsoft Azure
| Feature | Details |
|---------|---------|
| **Status** | โ Protected |
| **Rule Set** | Default Rule Set (DRS) 2.1 |
| **Coverage** | Azure WAF customers |
| **Action Required** | Verify using DRS 2.1 or create custom rules |
Azure WAF with the latest Default Rule Set (DRS) 2.1 can detect some attempts to exploit this vulnerability.
**To enable protection:**
1. Navigate to Azure Portal โ Application Gateway or Front Door
2. Go to WAF policy โ Managed Rules
3. Ensure DRS 2.1 is selected
4. Optionally create custom rules for additional protection
**Custom Rule Example:**
Organizations can create custom WAF rules specifically tailored to block the exploit pattern. Azure recommends validating custom rules in a test environment before production deployment.
---
### Google Cloud Platform (GCP)
| Feature | Details |
|---------|---------|
| **Status** | โ Protected |
| **Service** | Cloud Armor |
| **Coverage** | Cloud Armor customers |
| **Action Required** | Enable preconfigured WAF rules |
Google Cloud Armor provides protection through its preconfigured WAF rules and can be configured with custom security policies.
**To enable protection:**
1. Navigate to Google Cloud Console โ Network Security โ Cloud Armor
2. Create or update security policy
3. Enable preconfigured WAF rules for known vulnerabilities
4. Apply policy to backend services
---
### Vercel
| Feature | Details |
|---------|---------|
| **Status** | โ Protected |
| **Coverage** | All Vercel deployments |
| **Action Required** | Still must update Next.js to patched version |
Vercel has implemented platform-level mitigations to protect hosted applications. However, Vercel strongly recommends updating to the patched versions of Next.js.
---
### Important WAF Considerations
> โ ๏ธ **WAF protection is a temporary measure.** All cloud providers emphasize that:
>
> 1. **WAFs do not fix the vulnerability** - They only block known exploit patterns
> 2. **Attackers may bypass WAFs** - New exploit variants could evade detection
> 3. **Patching is mandatory** - Update to fixed versions immediately
> 4. **Rebuild applications** - After upgrading, rebuild to ensure patched dependencies are used
---
## ๐ How to Patch
### Quick Fix
Run the following commands in your project directory:
```bash
# Update React packages
npm install react@latest react-dom@latest
# Update Next.js (if using)
npm install next@latest
# Update RSC packages (if present)
npm update react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
# IMPORTANT: Rebuild your application
npm run build
```
### Verification
After updating, run the scanner again to confirm all vulnerabilities are patched:
```bash
node check.js
```
Expected output should show:
```
RISK CONCLUSION: SAFE
โ Your system is safe from CVE-2025-55182 and CVE-2025-66478.
```
### Additional Security Recommendations
1. **Rebuild Applications** - After upgrading, rebuild to ensure patched dependencies are used
2. **Validate Third-Party Dependencies** - Check frameworks and bundlers that might bundle vulnerable React packages
3. **Implement Defense-in-Depth:**
- Runtime sandboxing for server-side JavaScript
- Strict routing for RSC endpoints
- Continuous monitoring for suspicious activity
4. **Restrict Public Access** - If immediate patching is not possible, restrict access to RSC-enabled endpoints
---
## ๐ Timeline & Discovery
| Date | Event |
|------|-------|
| December 3, 2025 | Vulnerability disclosed by security researchers |
| December 3, 2025 | CVE-2025-55182 and CVE-2025-66478 assigned |
| December 3, 2025 | React team publishes security bulletin |
| December 3, 2025 | React and Next.js teams release patches |
| December 3, 2025 | Cloud providers deploy WAF protections |
| December 3, 2025 | No reported instances of exploitation in the wild |
---
## ๐ Additional Resources
### Official Advisories
- [React Security Bulletin (December 3, 2025)](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [Next.js Security Advisory](https://nextjs.org/blog/CVE-2025-66478)
- [GitHub Advisory Database](https://github.com/advisories)
### CVE Records
- [NIST NVD - CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [NIST NVD - CVE-2025-66478](https://nvd.nist.gov/vuln/detail/CVE-2025-66478)
### Cloud Provider Documentation
- [Cloudflare WAF - React RCE Protection](https://blog.cloudflare.com)
- [AWS WAF Managed Rules](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html)
- [Azure WAF Documentation](https://docs.microsoft.com/azure/web-application-firewall/)
- [Google Cloud Armor](https://cloud.google.com/armor/docs)
### Security Analysis
- [Wiz Research - React RSC Vulnerability Analysis](https://wiz.io)
- [Palo Alto Networks - Threat Brief](https://www.paloaltonetworks.com)
- [Snyk Vulnerability Database](https://snyk.io/vuln)
## ๐ License
MIT License - See [LICENSE](LICENSE) for details.
---
**Stay secure! ๐**