Share
## https://sploitus.com/exploit?id=AD82E4CF-0B25-5818-B0E2-75DDA6946A4C
# React CVE-2025-55182 Vulnerability Scanner
A bash script to scan your server for React applications vulnerable to **CVE-2025-55182** โ a critical remote code execution vulnerability (CVSS 10.0) in React Server Components.
## โ ๏ธ About the Vulnerability
On December 3, 2025, the React team disclosed a critical security vulnerability affecting React Server Components. An unauthenticated attacker can exploit a flaw in how React decodes payloads sent to React Server Function endpoints to achieve **remote code execution**.
**Affected packages:**
- `react-server-dom-webpack` versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
- `react-server-dom-parcel` versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
- `react-server-dom-turbopack` versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
**Fixed versions:** 19.0.1, 19.1.2, 19.2.1
๐ [Official React Blog Post](https://react.dev/blog/2025/12/03/react-rsc-security-vulnerability)
## ๐ Quick Start
### One-liner Install & Run
```bash
curl -sSL https://raw.githubusercontent.com/umairahmadh/react-vuln-scanner/main/scan-react-vuln.sh | sudo bash
```
### Manual Installation
```bash
# Download
curl -O https://raw.githubusercontent.com/umairahmadh/react-vuln-scanner/main/scan-react-vuln.sh
# Make executable
chmod +x scan-react-vuln.sh
# Run with sudo for full system scan
sudo ./scan-react-vuln.sh
```
### System-wide Installation
```bash
sudo curl -o /usr/local/bin/scan-react-vuln https://raw.githubusercontent.com/umairahmadh/react-vuln-scanner/main/scan-react-vuln.sh
sudo chmod +x /usr/local/bin/scan-react-vuln
# Now run from anywhere
sudo scan-react-vuln
```
## ๐ What It Scans
The script scans the following locations for React applications:
| Location | Description |
|----------|-------------|
| `/root` | Root user's home directory |
| `/home/*` | All user home directories |
| `/var/www` | Common web server root |
| `/srv` | Service data directory |
| `/opt` | Optional application software |
### Exclusions (to reduce false positives)
- `node_modules/` directories
- `.cache/`, `.npm/`, `.pnpm/` directories
- WordPress directories (`wp-content/`, `wp-includes/`, `plugins/`, `themes/`)
## ๐จ Output
The scanner provides color-coded output:
- ๐ด **[VULNERABLE]** - Application has vulnerable RSC packages installed
- ๐ข **[SAFE]** - Application has React but no vulnerable packages
- ๐ก **[UPDATE RECOMMENDED]** - React version that may be affected
### Example Output
```
============================================================
React CVE-2025-55182 Vulnerability Scanner
Critical: Remote Code Execution (CVSS 10.0)
============================================================
Scanning for React applications...
Scanning: /home/deploy (owner: deploy)
[VULNERABLE] my-nextjs-app
Path: /home/deploy/my-nextjs-app
Owner: deploy
- react-server-dom-webpack@19.2.0 (VULNERABLE)
- react@19.2.0 (UPDATE RECOMMENDED)
[SAFE] my-react-spa
Path: /home/deploy/my-react-spa
Owner: deploy
- react@19.2.1
============================================================
SCAN COMPLETE
============================================================
```
## ๐ง Requirements
- **Bash 4.0+** (for associative arrays)
- **Linux/macOS** (uses `find`, `grep`, `sed`)
- **Optional:** `jq` for more reliable JSON parsing
### Check your bash version:
```bash
bash --version
```
## ๐ ๏ธ Fixing Vulnerabilities
If the scanner finds vulnerable applications, update them immediately:
### General React Apps
```bash
npm install react@latest react-dom@latest
npm install react-server-dom-webpack@latest
```
### Next.js
```bash
npm install next@15.5.7 # or latest in your release line
```
### React Router (with RSC)
```bash
npm install react@latest react-dom@latest react-server-dom-parcel@latest
```
### Waku
```bash
npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest
```
## ๐ Security Notes
- Run with `sudo` to scan all user directories
- The script is read-only and does not modify any files
- Exit code `0` = no vulnerabilities found
- Exit code `1` = vulnerabilities detected (useful for CI/CD)
## ๐ License
MIT License - Free to use, modify, and distribute.
## ๐ค Contributing
Pull requests welcome! Please ensure any changes:
1. Don't introduce false positives
2. Maintain backward compatibility
3. Work without `jq` installed
## ๐ References
- [CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [React Security Advisory](https://react.dev/blog/2025/12/03/react-rsc-security-vulnerability)
- [Next.js Changelog](https://nextjs.org/docs/pages/building-your-application/upgrading)
---
Made with โค๏ธ for the React community. Stay safe! ๐ก๏ธ