react2shell-scanner

A high-fidelity command-line vulnerability scanner for detecting CVE-2025-55182 and CVE-2025-66478 (Remote Code Execution) in Next.js applications using React Server Components (RSC).

🚨 Vulnerability Overview

These critical vulnerabilities affect Next.js applications using React Server Components, allowing unauthenticated remote code execution through crafted multipart POST requests.

Affected versions:

• Next.js versions using React Server Components with vulnerable action handling

For technical details, see: Assetnote Research

⚙️ How It Works

The scanner sends a crafted multipart POST request containing an RCE proof-of-concept payload that executes a deterministic math operation (41*271 = 11111). Vulnerable hosts return the result in the X-Action-Redirect response header as /login?a=11111.

Detection Modes

Mode	Description	Use Case
RCE PoC (default)	Executes harmless math operation on target	Quick vulnerability confirmation
Safe Check	Side-channel detection via error responses	When code execution is not desired

📦 Installation

# Clone the repository
git clone https://github.com/YOUR_USERNAME/react2shell-scanner.git
cd react2shell-scanner

# Install dependencies
pip install -r requirements.txt

🚀 Usage

Basic Scan

# Scan a single target
python scanner.py -u https://example.com

# Scan multiple targets from file
python scanner.py -l hosts.txt

Advanced Options

# Multi-threaded scan with JSON output
python scanner.py -l hosts.txt -t 20 -o results.json

# Scan with custom headers
python scanner.py -u https://example.com -H "Authorization: Bearer token" -H "Cookie: session=abc"

# Safe detection mode (no code execution)
python scanner.py -u https://example.com --safe-check

# Scan Windows targets
python scanner.py -u https://example.com --windows

# WAF bypass mode
python scanner.py -u https://example.com --waf-bypass

# Vercel-specific WAF bypass
python scanner.py -u https://example.com --vercel-waf-bypass

# Combine options
python scanner.py -l hosts.txt -t 50 --waf-bypass --windows -o results.json

📋 Options Reference

Option	Description
-u, --url	Single URL to check
-l, --list	File containing hosts (one per line)
-t, --threads	Number of concurrent threads (default: 10)
--timeout	Request timeout in seconds (default: 10)
-o, --output	Output file for results (JSON format)
--all-results	Save all results, not just vulnerable hosts
-v, --verbose	Include response body in output
-q, --quiet	Only output vulnerable hosts
--no-color	Disable colored terminal output
-k, --insecure	Disable SSL certificate verification
-H, --header	Custom header (can be used multiple times)
--safe-check	Use safe side-channel detection instead of RCE PoC
--windows	Use Windows PowerShell payload instead of Unix shell
--waf-bypass	Add junk data to bypass WAF content inspection
--waf-bypass-size	Size of junk data in KB (default: 128)
--vercel-waf-bypass	Use Vercel WAF bypass payload variant

📊 Output Example

╔═══════════════════════════════════════════════════════════════╗
║                    react2shell-scanner                        ║
║   CVE-2025-55182 & CVE-2025-66478 Detection Tool             ║
╚═══════════════════════════════════════════════════════════════╝

┌─────────────────────────────────────────────────────────────┐
│                    SCAN CONFIGURATION                       │
├─────────────────────────────────────────────────────────────┤
│  Targets:          5                                        │
│  Threads:          10                                       │
│  Detection Mode:   RCE PoC                                  │
│  Payload Type:     Unix (Shell)                             │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│  TARGET: https://example.com                                │
├─────────────────────────────────────────────────────────────┤
│  Status:           🟢 SAFE                                  │
│  HTTP Status:      200                                      │
│  Response Time:    245.32ms                                 │
│  Server:           Vercel                                   │
└─────────────────────────────────────────────────────────────┘

═════════════════════════════════════════════════════════════════
                         SCAN SUMMARY
═════════════════════════════════════════════════════════════════
  Total Targets:     5
  Vulnerable:        0
  Safe:              5
  Total Scan Time:   2.34s
═════════════════════════════════════════════════════════════════

📁 Output Format

When using -o results.json, results are saved in JSON format:

[
  {
    "url": "https://vulnerable-site.com",
    "vulnerable": true,
    "message": "RCE confirmed: X-Action-Redirect = /login?a=11111",
    "status_code": 200,
    "response_time": 342.15,
    "server": "Next.js",
    "payload_type": "rce-poc (Unix)",
    "x_action_redirect": "/login?a=11111"
  }
]

⚠️ Disclaimer

This tool is intended for authorized security testing only. Only use this scanner against systems you have explicit permission to test. Unauthorized access to computer systems is illegal.

The authors are not responsible for any misuse or damage caused by this tool.

🙏 Credits

• Assetnote Security Research Team - Original research and detection methodology
• @maple3142 - Original RCE PoC disclosure
• xEHLE_ - RCE output reflection in response header
• Nagli

📄 License

MIT License - See LICENSE file for details.

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

1. Fork the repository
2. Create your feature branch (git checkout -b feature/AmazingFeature)
3. Commit your changes (git commit -m 'Add some AmazingFeature')
4. Push to the branch (git push origin feature/AmazingFeature)
5. Open a Pull Request