R2S - CVE-2025-55182 Vulnerability Scanner

Security Scanner

Sends a safe detection payload to test for CVE-2025-55182 (React Server Components RCE). This tool displays raw HTTP data for security research and manual interpretation.

HTTP Response Data

Target URL -

HTTP Status -

Response Time -

Timestamp -

Response Body

Detection Indicators

RSC Error Pattern (E{"digest":"..."})

Server Error Response (5xx)

Connection Timeout/Reset

RSC Content-Type Header

How to Interpret These Results

RSC Error Pattern + HTTP 500

If you see the RSC error pattern E{"digest":"..."} along with HTTP 500, this strongly suggests the server processed the malicious payload and encountered an error in the React Flight protocol. However, this alone doesn't prove exploitability - verify with additional testing and log analysis.

HTTP 500 Without RSC Pattern

A 500 error without the specific RSC pattern could indicate the vulnerability is present but the error manifests differently, or it could be an unrelated server error. Check server logs and run multiple scans.

Connection Timeout

Timeouts may indicate the server entered an infinite loop (a symptom of this vulnerability), but can also result from network issues, WAF blocking, server overload, or rate limiting. Timeouts alone are not proof of vulnerability. Run multiple scans and correlate with server-side logs.

HTTP 200 or 404

If the server returns 200 OK or 404 Not Found, it likely handled the payload normally. This suggests the server is either patched, not running React Server Components, has WAF protection, or Server Actions are disabled.

Important: This Tool Cannot Definitively Prove Vulnerability

This scanner performs passive detection only. It cannot execute code or confirm exploitability. Use these results as indicators for further investigation, not as conclusive proof. Always verify findings through:

Server-side log analysis
Multiple scan attempts from different networks
Version checking (npm ls react react-dom next)
Manual testing in a controlled environment

About CVE-2025-55182

What is it?

Critical RCE vulnerability in React Server Components Flight protocol allowing unauthenticated attackers to execute arbitrary code on vulnerable Next.js servers via crafted HTTP requests. CVSS Score: 10.0 (Critical).

Affected Versions

React

19.0.0 → 19.0.1
19.1.0 - 19.1.1 → 19.1.2
19.2.0 → 19.2.1

Next.js

15.0.0 - 15.0.4 → 15.0.5
15.1.0 - 15.1.8 → 15.1.9
15.2.0 - 15.2.5 → 15.2.6
15.3.0 - 15.3.5 → 15.3.6
15.4.0 - 15.4.7 → 15.4.8
15.5.0 - 15.5.6 → 15.5.7
16.0.0 - 16.0.6 → 16.0.7

Mitigation

Update immediately

Upgrade React and Next.js to patched versions. This is the only complete fix.

npm install react@latest react-dom@latest next@latest

WAF/CDN blocking (temporary)

Block POST requests with Next-Action header containing suspicious RSC payloads.

Disable Server Actions if unused experimental: { serverActions: { allowedOrigins: [] } }