[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-72470":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":13,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":27,"discoverSource":28},72470,"react2shell-scanner","assetnote\u002Freact2shell-scanner","assetnote","High Fidelity Detection Mechanism for RSC\u002FNext.js RCE (CVE-2025-55182 & CVE-2025-66478)",null,"Python",2452,268,12,4,0,2,3,6,29.29,false,"master",true,[],"2026-06-12 02:03:03","# react2shell-scanner\n\nA command-line tool for detecting CVE-2025-55182 and CVE-2025-66478 in Next.js applications using React Server Components.\n\nFor technical details on the vulnerability and detection methodology, see our blog post: https:\u002F\u002Fslcyber.io\u002Fresearch-center\u002Fhigh-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478\n\n## How It Works\n\nBy default, the scanner sends a crafted multipart POST request containing an RCE proof-of-concept payload that executes a deterministic math operation (`41*271 = 11111`). Vulnerable hosts return the result in the `X-Action-Redirect` response header as `\u002Flogin?a=11111`.\n\nThe scanner tests the root path (`\u002F`) by default. Use `--path` or `--path-file` to test custom paths. If not vulnerable, it follows same-host redirects (e.g., `\u002F` to `\u002Fen\u002F`) and tests the redirect destination. Cross-origin redirects are not followed.\n\n### Safe Check Mode\n\nThe `--safe-check` flag uses an alternative detection method that relies on side-channel indicators (500 status code with specific error digest) without executing code on the target. Use this mode when RCE execution is not desired.\n\n### WAF Bypass\n\nThe `--waf-bypass` flag prepends random junk data to the multipart request body. This can help evade WAF content inspection that only analyzes the first portion of request bodies. The default size is 128KB, configurable via `--waf-bypass-size`. When WAF bypass is enabled, the timeout is automatically increased to 20 seconds (unless explicitly set).\n\n### Vercel WAF Bypass\n\nThe `--vercel-waf-bypass` flag uses an alternative payload variant specifically designed to bypass Vercel WAF protections. This uses a different multipart structure with an additional form field.\n\n### Windows Mode\n\nThe `--windows` flag switches the payload from Unix shell (`echo $((41*271))`) to PowerShell (`powershell -c \"41*271\"`) for targets running on Windows.\n\n## Requirements\n\n- Python 3.9+\n- requests\n- tqdm\n\n## Installation\n\n```\npip install -r requirements.txt\n```\n\n## Usage\n\nScan a single host:\n\n```\npython3 scanner.py -u https:\u002F\u002Fexample.com\n```\n\nScan a list of hosts:\n\n```\npython3 scanner.py -l hosts.txt\n```\n\nScan with multiple threads and save results:\n\n```\npython3 scanner.py -l hosts.txt -t 20 -o results.json\n```\n\nScan with custom headers:\n\n```\npython3 scanner.py -u https:\u002F\u002Fexample.com -H \"Authorization: Bearer token\" -H \"Cookie: session=abc\"\n```\n\nUse safe side-channel detection:\n\n```\npython3 scanner.py -u https:\u002F\u002Fexample.com --safe-check\n```\n\nScan Windows targets:\n\n```\npython3 scanner.py -u https:\u002F\u002Fexample.com --windows\n```\n\nScan with WAF bypass:\n\n```\npython3 scanner.py -u https:\u002F\u002Fexample.com --waf-bypass\n```\n\nScan custom paths:\n\n```\npython3 scanner.py -u https:\u002F\u002Fexample.com --path \u002F_next\npython3 scanner.py -u https:\u002F\u002Fexample.com --path \u002F_next --path \u002Fapi\npython3 scanner.py -u https:\u002F\u002Fexample.com --path-file paths.txt\n```\n\n## Options\n\n```\n-u, --url Single URL to check\n-l, --list File containing hosts (one per line)\n-t, --threads Number of concurrent threads (default: 10)\n--timeout Request timeout in seconds (default: 10)\n-o, --output Output file for results (JSON)\n--all-results Save all results, not just vulnerable hosts\n-k, --insecure Disable SSL certificate verification\n-H, --header Custom header (can be used multiple times)\n-v, --verbose Show response details for vulnerable hosts\n-q, --quiet Only output vulnerable hosts\n--no-color Disable colored output\n--safe-check Use safe side-channel detection instead of RCE PoC\n--windows Use Windows PowerShell payload instead of Unix shell\n--waf-bypass Add junk data to bypass WAF content inspection\n--waf-bypass-size Size of junk data in KB (default: 128)\n--path Custom path to test (can be used multiple times)\n--path-file File containing paths to test (one per line)\n```\n\n## Credits\n\nThe RCE PoC was originally disclosed by [@maple3142](https:\u002F\u002Fx.com\u002Fmaple3142) -- we are incredibly grateful for their work in publishing a working PoC.\n\nThis tooling originally was built out as a safe way to detect the RCE. This functionality is still available via `--safe-check`, the \"safe detection\" mode.\n\n- Assetnote Security Research Team - [Adam Kues, Tomais Williamson, Dylan Pindur, Patrik Grobshäuser, Shubham Shah](https:\u002F\u002Fx.com\u002Fassetnote)\n- [xEHLE_](https:\u002F\u002Fx.com\u002FxEHLE_) - RCE output reflection in resp header\n- [Nagli](https:\u002F\u002Fx.com\u002Fgalnagli)\n\n## Output\n\nResults are printed to the terminal. When using `-o`, vulnerable hosts are saved to a JSON file containing the full HTTP request and response for verification.\n","react2shell-scanner 是一个用于检测 Next.js 应用中 CVE-2025-55182 和 CVE-2025-66478 漏洞的命令行工具。其核心功能是通过发送精心构造的多部分 POST 请求来测试目标应用是否存在远程代码执行(RCE)漏洞,支持多种模式如安全检查、WAF 绕过及针对不同操作系统的适配。技术特点包括使用确定性数学运算验证漏洞存在,并可通过自定义请求头、路径和并发线程数增强扫描灵活性与效率。适用于需要对基于 React 服务器组件的 Next.js 项目进行安全审计或漏洞排查的场景。","2026-06-11 03:42:11","high_star"]