Share
## https://sploitus.com/exploit?id=C3A11A68-BF9C-5D9F-9982-2480B4EC6C95
# CVE-2025-55182 / CVE-2025-66478 Vulnerability Scanner

**React Server Components Flight Protocol Remote Code Execution Detection Tool**

![CVSS Score](https://img.shields.io/badge/CVSS-10.0%20Critical-red)
![Disclosure Date](https://img.shields.io/badge/Disclosed-December%203%2C%202025-blue)
![License](https://img.shields.io/badge/License-Internal%20Use-yellow)

---

## Executive Summary

This scanner identifies systems potentially vulnerable to CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), critical unauthenticated remote code execution vulnerabilities in the React Server Components (RSC) "Flight" protocol.

**Key Risk Factors:**
- CVSS 10.0 - Maximum severity
- Unauthenticated - No login required
- Remote - Exploitable over the network
- Default configurations affected
- Near 100% exploitation reliability reported

---

## Table of Contents

1. [Vulnerability Overview](#vulnerability-overview)
2. [How the Scanner Works](#how-the-scanner-works)
3. [Installation](#installation)
4. [Usage](#usage)
5. [Understanding Results](#understanding-results)
6. [Confidence Levels](#confidence-levels)
7. [Limitations](#limitations)
8. [Recommendations](#recommendations)
9. [References](#references)

---

## Vulnerability Overview

### What is CVE-2025-55182?

A critical insecure deserialization vulnerability in React's Server Components implementation. The RSC "Flight" protocol fails to properly validate the structure and types of incoming payloads, allowing attackers to inject malicious data that influences server-side execution.

### Affected Components

| Package | Vulnerable Versions | Patched Versions |
|---------|---------------------|------------------|
| react-server-dom-webpack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| react-server-dom-parcel | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| react-server-dom-turbopack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| Next.js | 14.3.0-canary.77+, 15.x, 16.0.0-16.0.6 | 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |

### Affected Frameworks

- Next.js (App Router)
- React Router (RSC preview)
- Vite RSC plugin
- Parcel RSC plugin
- RedwoodJS (RedwoodSDK)
- Waku

### Attack Vector

```
Attacker โ†’ Crafted HTTP POST โ†’ RSC Endpoint โ†’ Deserialization โ†’ RCE
```

The attack requires only a specially crafted HTTP request to any Server Function endpoint. No authentication is needed, and default configurations are vulnerable.

---

## How the Scanner Works

### Detection Methodology

The scanner uses **passive fingerprinting** and **protocol probing** to identify potentially vulnerable systems. It does NOT attempt exploitation.

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                     DETECTION PIPELINE                          โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚                                                                 โ”‚
โ”‚  1. Framework Detection                                         โ”‚
โ”‚     โ”œโ”€โ”€ HTTP Headers (X-Powered-By: Next.js)                   โ”‚
โ”‚     โ”œโ”€โ”€ Page Source (__NEXT_DATA__, react artifacts)           โ”‚
โ”‚     โ””โ”€โ”€ Build Manifests                                         โ”‚
โ”‚                                                                 โ”‚
โ”‚  2. Version Fingerprinting                                      โ”‚
โ”‚     โ”œโ”€โ”€ Embedded version strings in JS bundles                 โ”‚
โ”‚     โ”œโ”€โ”€ Package version patterns                                โ”‚
โ”‚     โ””โ”€โ”€ Build manifest analysis                                 โ”‚
โ”‚                                                                 โ”‚
โ”‚  3. RSC Endpoint Discovery                                      โ”‚
โ”‚     โ”œโ”€โ”€ Send RSC headers (RSC: 1, Accept: text/x-component)    โ”‚
โ”‚     โ”œโ”€โ”€ Analyze response Content-Type                          โ”‚
โ”‚     โ””โ”€โ”€ Detect Flight protocol markers in response             โ”‚
โ”‚                                                                 โ”‚
โ”‚  4. Server Actions Probing                                      โ”‚
โ”‚     โ”œโ”€โ”€ POST request with minimal Flight payload               โ”‚
โ”‚     โ”œโ”€โ”€ Check for deserialization processing                   โ”‚
โ”‚     โ””โ”€โ”€ Identify action endpoints                              โ”‚
โ”‚                                                                 โ”‚
โ”‚  5. Vulnerability Assessment                                    โ”‚
โ”‚     โ”œโ”€โ”€ Correlate version with known vulnerable ranges         โ”‚
โ”‚     โ”œโ”€โ”€ Weight RSC endpoint presence                           โ”‚
โ”‚     โ””โ”€โ”€ Generate confidence-scored verdict                     โ”‚
โ”‚                                                                 โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

### Technical Detection Methods

#### 1. Framework Detection

| Indicator | Detection Method | Confidence |
|-----------|------------------|------------|
| `X-Powered-By: Next.js` | HTTP header inspection | High |
| `__NEXT_DATA__` script tag | HTML source parsing | High |
| `/_next/` asset paths | HTML source parsing | Medium |
| React hydration markers | HTML source parsing | Medium |

#### 2. RSC Protocol Detection

The Flight protocol uses a specific wire format:

```
0:["$","div",null,{"children":"Hello"}]
1:["$","$L1",null,{}]
2:{"name":"ServerComponent"}
```

The scanner looks for:
- `text/x-component` Content-Type
- Chunk format: `{number}:{payload}`
- Reference markers: `$`, `$L`, `$F`, `$@`, `$undefined`

#### 3. Version Fingerprinting

Searches for version patterns in:
- JavaScript bundles (`/_next/static/chunks/`)
- Build manifests
- Inline scripts
- Package references (`react@19.x.x`)

---

## Installation

### Requirements

- Python 3.8+
- `requests` library

### Setup

```bash
# Clone or download the scanner files
# Install dependencies
pip install -r requirements.txt

# Verify installation
python3 cve-2025-55182-scanner.py --help
```

---

## Usage

### Basic Scan

```bash
# Single target
python3 cve-2025-55182-scanner.py -t https://example.com

# With verbose output
python3 cve-2025-55182-scanner.py -t https://example.com -v
```

### Batch Scanning

```bash
# Create targets file (one URL per line)
echo "https://app1.example.com" > targets.txt
echo "https://app2.example.com" >> targets.txt

# Scan all targets
python3 cve-2025-55182-scanner.py -f targets.txt -o results.json
```

### Advanced Options

```bash
python3 cve-2025-55182-scanner.py -t https://example.com \
    --timeout 15 \
    --threads 10 \
    --user-agent "SecurityAudit/1.0" \
    -v \
    -o scan_results.json
```

### Command Line Options

| Option | Description | Default |
|--------|-------------|---------|
| `-t, --target` | Single target URL | - |
| `-f, --file` | File with target list | - |
| `-o, --output` | JSON output file | - |
| `-v, --verbose` | Show detailed evidence | False |
| `--timeout` | Request timeout (seconds) | 10 |
| `--threads` | Concurrent threads | 5 |
| `--verify-ssl` | Verify SSL certificates | False |
| `--user-agent` | Custom User-Agent | Mozilla/5.0... |
| `--no-banner` | Suppress banner | False |

### Using the RSC Analyzer Module

For deeper protocol analysis:

```bash
python3 rsc_analyzer.py https://example.com
```

This provides detailed Flight protocol analysis and component enumeration.

---

## Understanding Results

### Status Categories

| Status | Meaning | Action Required |
|--------|---------|-----------------|
| ๐Ÿ”ด **VULNERABLE** | Confirmed vulnerable version detected | **Immediate patching** |
| ๐Ÿ”ด **LIKELY_VULNERABLE** | React 19.x with RSC, version in vulnerable range | **Urgent patching** |
| ๐ŸŸก **POTENTIALLY_VULNERABLE** | RSC endpoints found, version unknown | **Investigate & patch** |
| ๐ŸŸข **NOT_VULNERABLE** | Patched version confirmed | Monitor for updates |
| ๐Ÿ”ต **UNKNOWN** | Could not determine status | Manual verification needed |
| โšช **ERROR** | Scan failed | Retry or manual check |

### Sample Output

```
======================================================================
Target: https://app.example.com
Status: VULNERABLE
Framework: Next.js
Version: 19.1.0
RSC Endpoints: /, /_next/data

Evidence:
  - X-Powered-By header: Next.js
  - React version detected: 19.1.0
  - RSC Flight response at / (Content-Type: text/x-component)
  - Flight protocol markers detected at /

Recommendations:
  โ†’ CRITICAL: Immediate patching required!
  โ†’ Upgrade React to 19.0.1, 19.1.2, or 19.2.1
  โ†’ Upgrade Next.js to latest patched version (15.0.5+, 16.0.7)
  โ†’ Enable WAF rules to block malicious RSC payloads
  โ†’ Monitor for anomalous POST requests to RSC endpoints
======================================================================
```

### JSON Output Format

```json
{
  "target": "https://app.example.com",
  "status": "VULNERABLE",
  "framework": "Next.js",
  "version": "19.1.0",
  "rsc_endpoints": ["/", "/_next/data"],
  "evidence": [
    "X-Powered-By header: Next.js",
    "React version detected: 19.1.0",
    "RSC Flight response at / (Content-Type: text/x-component)"
  ],
  "recommendations": [
    "CRITICAL: Immediate patching required!",
    "Upgrade React to 19.0.1, 19.1.2, or 19.2.1"
  ]
}
```

---

## Confidence Levels

### How Much Should You Trust the Results?

| Result Type | Confidence | Explanation |
|-------------|------------|-------------|
| **VULNERABLE with version** | **HIGH (90%+)** | Version string matched known vulnerable version |
| **VULNERABLE via header** | **HIGH (85%+)** | X-Powered-By exposed vulnerable version |
| **LIKELY_VULNERABLE** | **MEDIUM-HIGH (70-85%)** | React 19.x detected, RSC active, version not explicitly patched |
| **POTENTIALLY_VULNERABLE** | **MEDIUM (50-70%)** | RSC endpoints respond, but version unknown |
| **NOT_VULNERABLE** | **HIGH (85%+)** | Patched version explicitly detected |
| **UNKNOWN** | **LOW ( critical_findings.json
```

### CI/CD Integration

```yaml
# GitHub Actions example
- name: CVE-2025-55182 Check
  run: |
    python3 cve-2025-55182-scanner.py -t ${{ env.APP_URL }} -o results.json
    if grep -q '"status": "VULNERABLE"' results.json; then
      echo "::error::Critical vulnerability detected!"
      exit 1
    fi
```

---

## References

### Official Advisories

- [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [Vercel Security Notice](https://vercel.com/security)
- [NVD - CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)

### Technical Analysis

- [Wiz Research Blog](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)
- [Snyk Advisory](https://snyk.io/blog/security-advisory-critical-rce-vulnerabilities-react-server-components/)
- [Akamai Analysis](https://www.akamai.com/blog/security-research/2025/dec/cve-2025-55182-react-nextjs-server-functions-deserialization-rce)

### Vendor Resources

- [Cloudflare WAF Rules](https://blog.cloudflare.com) - Automatic protection deployed
- [Akamai Rapid Rules](https://www.akamai.com) - Rule 3000976

---

## Changelog

| Version | Date | Changes |
|---------|------|---------|
| 1.0.0 | 2025-12-03 | Initial release |

---

## Disclaimer

This tool is provided for authorized security testing only. Only use against systems you own or have explicit written permission to test. The authors assume no liability for misuse or damage caused by this tool.

---

**Developed by Hyperdrive Security**  
*Penetration Testing & Security Assessments*