## https://sploitus.com/exploit?id=FF26DF37-03C4-5B28-BA2D-C3207A50F86C
# RSC Infra Scanner
`rsc_infra_scan.py` is a fast, asynchronous Python tool that **fingerprints domains for likely Next.js App Router / React Server Components (RSC) infrastructure**.
It does **not** exploit any vulnerabilities.
It only performs **passive HTTP/HTML/header fingerprinting** to help you identify targets that might be in the affected technology family (e.g. for RSC‑related CVEs).
## Target Vulnerabilities
This scanner is designed to help identify infrastructure that MAY be vulnerable to:
- **CVE-2025-55182** — Critical Remote Code Execution (RCE) vulnerability in React Server Components due to unsafe deserialization. This vulnerability allows pre-authentication remote code execution.
- **CVE-2025-66478** — Initially assigned to Next.js but marked as a duplicate of CVE-2025-55182.
### Affected Versions
- **React**: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- **Next.js**: 15.x and 16.x using the App Router
> **Important**: This tool only identifies infrastructure that *appears* to use Next.js App Router / RSC technology. It does **not** verify if a specific CVE is exploitable or if the target is running a vulnerable version. Always verify vulnerability status through proper security testing and vendor advisories.
---
## Features
- Scans a list of domains concurrently using `aiohttp`.
- Detects heuristics for:
- `window.__next_f` (Next.js App Router / RSC runtime)
- `react-server-dom-webpack`
- `id="__next"` container
- `x-nextjs-*` response headers
- `Content-Type: text/x-component`
- Assigns a **0–100 score** per domain.
- Prints a CSV‑like summary with:
- A **green `[+]` mark** for “likely RSC / Next.js infra” (score ≥ 50).
- A **red `[-]` mark** for “unlikely / not detected” or errors.
- Uses **HTTPS by default**, with HTTP fallback if there is an SSL issue.
> This tool is intended for **research and defensive security testing**. Do not use it on systems you are not authorized to test.
---
## Installation
1. Clone or download this repository.
2. Install Python dependencies:
```bash
pip install aiohttp
```
3. Ensure you have Python 3.8+.
---
## Configuration
Create a `List.txt` file in the same directory as `rsc_infra_scan.py`.
- One domain or URL per line.
- `#` at the beginning of a line is treated as a comment.
- You can mix bare domains and full URLs.
Example `List.txt`:
```text
# Example targets
example.com
https://subdomain.example.org
nextjs-demo.vercel.app
```
---
## Usage
Run the scanner from the directory containing `rsc_infra_scan.py` and `List.txt`:
```bash
python rsc_infra_scan.py
```
The script will:
- Read `List.txt`.
- De-duplicate domains.
- Probe each target concurrently.
- Print a CSV‑like table to stdout.
---
## Output Format
Header:
```text
domain,status,is_rsc_like,score,signals_or_error
```
Example rows:
```text
example.com,[+],yes,75,HTML:(window|self)\.__next_f\s*=; HDR:x-nextjs-cache=HIT
legacy-site.org,[-],no,0,
bad-ssl.test,[-],ERROR,0,SSL: CERTIFICATE_VERIFY_FAILED
```
Where:
- `status`:
- `[+]` (green in a terminal that supports ANSI) → **likely using Next.js App Router / RSC‑style infra**.
- `[-]` (red) → no strong signals or an error.
- `is_rsc_like`:
- `yes` when `score >= 50`.
- `no` otherwise.
- `score`:
- 0–100 heuristic score, based on HTML patterns and headers.
- `signals_or_error`:
- Semi‑colon separated list of matched signals (e.g. `HTML:...`, `HDR:...`) or an error message.
---
## How Detection Works (High Level)
The scanner sends a single GET request per target (with HTTP fallback if HTTPS fails) and inspects:
1. **HTML body**
- `window.__next_f` → strong Next.js App Router / RSC indicator.
- `react-server-dom-webpack` → RSC library reference.
- `id="__next"` → generic Next.js root container.
2. **Response headers**
- `x-nextjs-cache`
- `x-nextjs-matched-path`
- `x-nextjs-page`
- `x-nextjs-router-state-tree`
- `Content-Type: text/x-component`
Each signal contributes to the overall score. A score ≥ 50 means the domain is "RSC‑infra‑like".
> Note: This is **not a vulnerability scanner**. It cannot tell you if a specific CVE (such as CVE-2025-55182 or CVE-2025-66478) is exploitable, only whether the stack looks like Next.js/RSC infrastructure that *might* be affected. Always verify actual vulnerability status through proper security testing and consult official vendor advisories.
---
## Legal & Ethical Use
- Only scan systems that you:
- Own yourself, or
- Have **explicit written permission** to test.
- Do not treat heuristic detection as proof of vulnerability; always follow coordinated disclosure and patch guidance from vendors.
---
## References
For more information about the vulnerabilities this tool helps identify:
- **CVE-2025-55182**: [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- **CVE-2025-66478**: [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-66478) (marked as duplicate of CVE-2025-55182)
- React Security Advisory: Check the official React repository for security advisories
- Next.js Security Advisory: Check the official Next.js repository and [Vercel Community](https://community.vercel.com/t/security-advisory-for-cve-2025-55182-and-cve-2025-66478/29095) for updates
---
## Disclaimer
This project is provided for **educational and research purposes only**.
The author(s) are **not responsible** for any misuse or damage caused by this software.
You are solely responsible for complying with all applicable laws and regulations when using this tool.