{"id":43673922,"url":"https://github.com/assetnote/react2shell-scanner","last_synced_at":"2026-02-05T00:40:46.955Z","repository":{"id":327642551,"uuid":"1109700440","full_name":"assetnote/react2shell-scanner","owner":"assetnote","description":"High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 \u0026 CVE-2025-66478)","archived":false,"fork":false,"pushed_at":"2025-12-07T04:16:46.000Z","size":48,"stargazers_count":1082,"open_issues_count":5,"forks_count":125,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-12-08T04:56:55.170Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/assetnote.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-04T06:55:04.000Z","updated_at":"2025-12-08T04:54:52.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/assetnote/react2shell-scanner","commit_stats":null,"previous_names":["assetnote/react2shell-scanner"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/assetnote/react2shell-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/assetnote%2Freact2shell-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/assetnote%2Freact2shell-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/assetnote%2Freact2shell-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/assetnote%2Freact2shell-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/assetnote","download_url":"https://codeload.github.com/assetnote/react2shell-scanner/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/assetnote%2Freact2shell-scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29103453,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-04T22:44:52.815Z","status":"ssl_error","status_checked_at":"2026-02-04T22:44:16.428Z","response_time":62,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-05T00:40:46.366Z","updated_at":"2026-02-05T00:40:46.948Z","avatar_url":"https://github.com/assetnote.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# react2shell-scanner\n\nA command-line tool for detecting CVE-2025-55182 and CVE-2025-66478 in Next.js applications using React Server Components.\n\nFor technical details on the vulnerability and detection methodology, see our blog post: https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478\n\n## How It Works\n\nBy default, the scanner sends a crafted multipart POST request containing an RCE proof-of-concept payload that executes a deterministic math operation (`41*271 = 11111`). Vulnerable hosts return the result in the `X-Action-Redirect` response header as `/login?a=11111`.\n\nThe scanner tests the root path (`/`) by default. Use `--path` or `--path-file` to test custom paths. If not vulnerable, it follows same-host redirects (e.g., `/` to `/en/`) and tests the redirect destination. Cross-origin redirects are not followed.\n\n### Safe Check Mode\n\nThe `--safe-check` flag uses an alternative detection method that relies on side-channel indicators (500 status code with specific error digest) without executing code on the target. Use this mode when RCE execution is not desired.\n\n### WAF Bypass\n\nThe `--waf-bypass` flag prepends random junk data to the multipart request body. This can help evade WAF content inspection that only analyzes the first portion of request bodies. The default size is 128KB, configurable via `--waf-bypass-size`. When WAF bypass is enabled, the timeout is automatically increased to 20 seconds (unless explicitly set).\n\n### Vercel WAF Bypass\n\nThe `--vercel-waf-bypass` flag uses an alternative payload variant specifically designed to bypass Vercel WAF protections. This uses a different multipart structure with an additional form field.\n\n### Windows Mode\n\nThe `--windows` flag switches the payload from Unix shell (`echo $((41*271))`) to PowerShell (`powershell -c \"41*271\"`) for targets running on Windows.\n\n## Requirements\n\n- Python 3.9+\n- requests\n- tqdm\n\n## Installation\n\n```\npip install -r requirements.txt\n```\n\n## Usage\n\nScan a single host:\n\n```\npython3 scanner.py -u https://example.com\n```\n\nScan a list of hosts:\n\n```\npython3 scanner.py -l hosts.txt\n```\n\nScan with multiple threads and save results:\n\n```\npython3 scanner.py -l hosts.txt -t 20 -o results.json\n```\n\nScan with custom headers:\n\n```\npython3 scanner.py -u https://example.com -H \"Authorization: Bearer token\" -H \"Cookie: session=abc\"\n```\n\nUse safe side-channel detection:\n\n```\npython3 scanner.py -u https://example.com --safe-check\n```\n\nScan Windows targets:\n\n```\npython3 scanner.py -u https://example.com --windows\n```\n\nScan with WAF bypass:\n\n```\npython3 scanner.py -u https://example.com --waf-bypass\n```\n\nScan custom paths:\n\n```\npython3 scanner.py -u https://example.com --path /_next\npython3 scanner.py -u https://example.com --path /_next --path /api\npython3 scanner.py -u https://example.com --path-file paths.txt\n```\n\n## Options\n\n```\n-u, --url         Single URL to check\n-l, --list        File containing hosts (one per line)\n-t, --threads     Number of concurrent threads (default: 10)\n--timeout         Request timeout in seconds (default: 10)\n-o, --output      Output file for results (JSON)\n--all-results     Save all results, not just vulnerable hosts\n-k, --insecure    Disable SSL certificate verification\n-H, --header      Custom header (can be used multiple times)\n-v, --verbose     Show response details for vulnerable hosts\n-q, --quiet       Only output vulnerable hosts\n--no-color        Disable colored output\n--safe-check      Use safe side-channel detection instead of RCE PoC\n--windows         Use Windows PowerShell payload instead of Unix shell\n--waf-bypass      Add junk data to bypass WAF content inspection\n--waf-bypass-size Size of junk data in KB (default: 128)\n--path            Custom path to test (can be used multiple times)\n--path-file       File containing paths to test (one per line)\n```\n\n## Credits\n\nThe RCE PoC was originally disclosed by [@maple3142](https://x.com/maple3142) -- we are incredibly grateful for their work in publishing a working PoC.\n\nThis tooling originally was built out as a safe way to detect the RCE. This functionality is still available via `--safe-check`, the \"safe detection\" mode.\n\n- Assetnote Security Research Team - [Adam Kues, Tomais Williamson, Dylan Pindur, Patrik Grobshäuser, Shubham Shah](https://x.com/assetnote)\n- [xEHLE_](https://x.com/xEHLE_) - RCE output reflection in resp header\n- [Nagli](https://x.com/galnagli)\n\n## Output\n\nResults are printed to the terminal. When using `-o`, vulnerable hosts are saved to a JSON file containing the full HTTP request and response for verification.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fassetnote%2Freact2shell-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fassetnote%2Freact2shell-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fassetnote%2Freact2shell-scanner/lists"}