New Tool For Scanning Exposed ReactJS and Next.js RSC Endpoints

Security researchers have released React Server Components Surface Exposure Scanner, a free tool to detect exposed endpoints vulnerable to CVE-2025-55182.

This critical remote code execution (RCE) flaw in React Server Components (RSC) affects Next.js apps using React 19.

With a perfect CVSS score of 10.0, it allows attackers to run arbitrary code if chained with a prototype pollution attack.

The GitHub repo (fatguru/CVE-2025-55182-scanner) provides non-intrusive scanning to spot attack surfaces before exploitation.

Next.js production builds use a server Manifest allowlist to block dangerous modules, such as child_process.

Direct RCE fails without polluting this manifest in memory. Webpack minification obfuscates module IDs (e.g., “vm” becomes “742”), leading to false negatives in rigid PoCs.

Root paths often redirect POST requests, resulting in lost payloads. This scanner bypasses these issues with innovative probing.

Critical Context and Detection Challenges

CVE-2025-55182 requires an exposed RSC endpoint (text/x-component protocol) as the first step in attacks.

Standard scanners fail due to:

• Allowlist blocks: No direct gadget execution.
• Redirect traps: POST to / becomes GET.
• Obfuscation: No X-Powered-By or version leaks.

The tool fingerprints via a safe payload [“$1:aa:aa”], triggering React 19’s unique “Digest” error on exposed servers.

It probes random paths (e.g., /x7z9q2) to avoid redirects and works on minified builds.

Usage, Features, and Results Guide

Basic scan: python3 cve_2025_55182_scanner.py -u http://target.com/dashboard

Bulk: python3 cve_2025_55182_scanner.py -l targets.txt -o results.csv

Custom: Add –header “Cookie: session=123” or -k for insecure TLS.

v2.1 adds WAF detection (403/406 blocks), threads (-t 10), and verbose logs.

A Nuclei template (cve-2025-55182-detection.yaml) integrates with ProjectDiscovery. Use it to secure Next.js apps amid rising supply chain risks.