cybersecurity

New Tool For Scanning Exposed ReactJS and Next.js RSC Endpoints

Security researchers have released React Server Components Surface Exposure Scanner, a free tool to detect exposed endpoints vulnerable to CVE-2025-55182.

This critical remote code execution (RCE) flaw in React Server Components (RSC) affects Next.js apps using React 19.

With a perfect CVSS score of 10.0, it allows attackers to run arbitrary code if chained with a prototype pollution attack.

The GitHub repo (fatguru/CVE-2025-55182-scanner) provides non-intrusive scanning to spot attack surfaces before exploitation.

Next.js production builds use a server Manifest allowlist to block dangerous modules, such as child_process.

Direct RCE fails without polluting this manifest in memory. Webpack minification obfuscates module IDs (e.g., “vm” becomes “742”), leading to false negatives in rigid PoCs.

Root paths often redirect POST requests, resulting in lost payloads. This scanner bypasses these issues with innovative probing.

Critical Context and Detection Challenges

CVE-2025-55182 requires an exposed RSC endpoint (text/x-component protocol) as the first step in attacks.

Standard scanners fail due to:

  • Allowlist blocks: No direct gadget execution.
  • Redirect traps: POST to / becomes GET.
  • Obfuscation: No X-Powered-By or version leaks.
CVE DetailValue
IDCVE-2025-55182
CVSS v3.1 Score10.0 (Critical)
TypeRCE via RSC
AffectedReact 19/Next.js App Router
Patch StatusPatch RSC parsing; harden manifests
SourceNVD

The tool fingerprints via a safe payload [“$1:aa:aa”], triggering React 19’s unique “Digest” error on exposed servers.

It probes random paths (e.g., /x7z9q2) to avoid redirects and works on minified builds.

Usage, Features, and Results Guide

Basic scan: python3 cve_2025_55182_scanner.py -u http://target.com/dashboard

Bulk: python3 cve_2025_55182_scanner.py -l targets.txt -o results.csv

Custom: Add –header “Cookie: session=123” or -k for insecure TLS.

v2.1 adds WAF detection (403/406 blocks), threads (-t 10), and verbose logs.

Result Color/StatusMeaning
[EXPOSED] 🔴Digest error: Vulnerable surface
[SUSPICIOUS] 🟡500 crash: Potential risk
[INFO] 🔵RSC detected, likely patched
[BLOCKED] 🟣WAF active (good defense)
[SAFE] 🟢No exposure

A Nuclei template (cve-2025-55182-detection.yaml) integrates with ProjectDiscovery. Use it to secure Next.js apps amid rising supply chain risks.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies..

Leave a Comment
Share
Published by
Varshini
Tags: Cybersecurity
4 months ago

Recent Posts

Burp Suite Supercharges Its Scanning Capabilities With React2Shell Vulnerability Detection

PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…

4 months ago

Malicious MCP Servers Enable New Prompt Injection Attack To Drain Resources

Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…

4 months ago

Law Enforcement Detains Hackers Equipped With Specialized Flipper Hacking Tools

Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…

4 months ago

Google Unveils 10 New Gemini-Powered AI Features For Chrome

Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…

4 months ago

CISA Alerts On Actively Exploited Buffer Overflow Flaw In D-Link Routers

Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…

4 months ago

Over 500 Apache Tika Toolkit Instances Exposed To Critical XXE Vulnerability

Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…

4 months ago