React2Shell Scanner

React2Shell Scanner

Check if your site is vulnerable to React2Shell (CVE-2025-55182)

Passive check: This assessment only analyzes public response signatures and headers. No code is executed on your server.

What is React2Shell?

A security scanner for CVE-2025-55182, a critical RCE in React Server Components.

Passive Check: This scanner performs a non-intrusive assessment of your site's headers and response signatures. It does not execute the RCE vulnerability or harm your server.

1Vulnerability Overview

CVE-2025-55182 is a critical (CVSS 10.0) remote code execution vulnerability affecting React 19.x and Next.js 15.x/16.x.

Apps created with create-next-app are often vulnerable by default if not updated.

2How it Works

  • Fingerprinting: Identifies Next.js and RSC usage via passive header analysis.
  • Safe Probing: Sends a non-destructive POST request with a validated RSC probe:
    ------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

{}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

["$1:a:a"]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
  • Analysis: Evaluates for HTTP 500 and the E{"digest" signature to confirm vulnerability without execution.

Affects: React 19.x, Next.js 15.x/16.x (App Router)

Impact: Unauthenticated RCE via HTTP request

Fix: Update to [email protected]+, [email protected]+