Skip to content
/ r2s Public

A web-based vulnerability scanner for CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability in React Server Components.

r2s.mxm0z.com
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mxm0z/r2s

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
public
public
 
 
README.md
README.md
 
 
package.json
package.json
 
 
wrangler.toml
wrangler.toml
 
 

Repository files navigation

R2S - React2Shell Scanner

A web-based vulnerability scanner for CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability in React Server Components.

Live Scanner: https://r2s.mxm0z.com

About CVE-2025-55182

CVE-2025-55182 is a critical (CVSS 10.0) vulnerability in the React Server Components Flight protocol that allows unauthenticated attackers to execute arbitrary code on vulnerable Next.js servers via crafted HTTP requests.

Affected Versions

Package Vulnerable Patched
React 19.0.0 19.0.1
React 19.1.0 - 19.1.1 19.1.2
React 19.2.0 19.2.1
Next.js 15.0.0 - 15.0.4 15.0.5
Next.js 15.1.0 - 15.1.8 15.1.9
Next.js 15.2.0 - 15.2.5 15.2.6
Next.js 15.3.0 - 15.3.5 15.3.6
Next.js 15.4.0 - 15.4.7 15.4.8
Next.js 15.5.0 - 15.5.6 15.5.7
Next.js 16.0.0 - 16.0.6 16.0.7

How It Works

This scanner sends a safe detection payload to the target URL. The payload uses "_prefix":"1" which simply evaluates to the number 1 - it does not execute any code on the target server.

Detection Logic

Response Interpretation
HTTP 500 + RSC error pattern VULNERABLE (high confidence)
HTTP 500 LIKELY VULNERABLE (medium confidence)
Request timeout (>6s) POTENTIALLY VULNERABLE (medium confidence)
HTTP 200/404/other NOT VULNERABLE

Deploy Your Own

Prerequisites

Setup

# Clone the repository
git clone https://github.com/mxm0z/r2s.git
cd r2s

# Install dependencies
npm install

# Run locally
npm run dev

# Deploy to Cloudflare Pages
npm run deploy

Custom Domain (Optional)

  1. Add your domain to Cloudflare
  2. Go to Cloudflare Pages > your project > Custom domains
  3. Add your subdomain (e.g., scanner.yourdomain.com)

Project Structure

r2s/
├── public/
│   ├── index.html      # Main page
│   ├── style.css       # Styling
│   ├── app.js          # Frontend logic
│   └── _worker.js      # Cloudflare Worker (scanner API)
├── wrangler.toml       # Cloudflare configuration
└── package.json

API

POST /api/scan

Scan a target URL for CVE-2025-55182.

Request:

{
  "targetUrl": "https://example.com"
}

Response:

{
  "target": "https://example.com",
  "timestamp": "2025-01-15T12:00:00.000Z",
  "status": "not_vulnerable",
  "message": "NOT VULNERABLE",
  "httpStatus": "404 Not Found",
  "responsePreview": "...",
  "confidence": "high"
}

Disclaimer

This tool is provided for authorized security testing only. Only scan applications you have explicit permission to test. The authors are not responsible for misuse of this tool.

Credits

License

MIT

About

A web-based vulnerability scanner for CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability in React Server Components.

r2s.mxm0z.com

Topics

cloudflare react2shell

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages