React2Shell Scanner

React2Shell Scanner

Check if your site is vulnerable to React2Shell (CVE-2025-55182)

Passive check: This assessment only analyzes public response signatures and headers. No code is executed on your server.

What is React2Shell?

A security scanner for CVE-2025-55182, a critical RCE in React Server Components.

Passive Check: This scanner performs a non-intrusive assessment of your site's headers and response signatures. It does not execute the RCE vulnerability or harm your server.

1Vulnerability Overview

CVE-2025-55182 is a critical (CVSS 10.0) remote code execution vulnerability affecting React 19.x and Next.js 15.x/16.x.

Apps created with create-next-app are often vulnerable by default if not updated.

2How it Works

  • Fingerprinting: Identifies Next.js and RSC usage via passive header analysis.
  • Safe Probing: Sends a non-destructive POST request with a malformed RSC payload:
    1:I["$","invalid",null]
0:{"invalid":true}
  • Analysis: Evaluates server error digests to confirm vulnerability status without execution.

Affects: React 19.x, Next.js 15.x/16.x (App Router)

Impact: Unauthenticated RCE via HTTP request

Fix: Update to react@19.1.2+, next@15.2.6+