Skip to content

grimnir/Quickcheck-CVE-2025-55182-React-and-CVE-2025-66478-Next.js

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
script.js
script.js
 
 

Repository files navigation

GitHub CVE Scanner

🔍 Quickly scan GitHub repositories for critical React and Next.js RSC vulnerabilities

License: MIT

Overview

A browser-based scanner that checks all GitHub repositories for known security vulnerabilities in React Server Components:

CVE Package(s) Severity Description
CVE-2025-55182 react, react-dom, react-server-dom-webpack Critical React RSC "Flight" protocol RCE
CVE-2025-66478 next Critical Next.js RSC unauthenticated RCE

No installation required — just paste in your browser console.

Quick Start

  1. Navigate to any GitHub page (e.g., https://github.com/yourusername)
  2. Open DevTools (F12 or Ctrl+Shift+I)
  3. Go to the Console tab
  4. Copy script.js, paste, and press Enter

Authentication

When prompted, choose your scan mode:

Option Access Requirements
Cancel Public repos only None
OK Public + Private Personal Access Token

Creating a PAT

  1. Visit github.com/settings/tokens/new
  2. Name: CVE Scanner
  3. Scope: repo (Full control of private repositories)
  4. Generate and copy the token

⚠️ Security: Treat your PAT like a password. Never commit or share it.

Vulnerability Reference

CVE-2025-55182 (React)

Package Vulnerable Patched
react 19.0.0 19.0.1+
react-dom 19.0.0 19.0.1+
react-server-dom-webpack 19.0.0 19.0.1+

CVE-2025-66478 (Next.js)

Version Range Vulnerable Patched
13.x 13.4.0 – 13.5.8 13.5.9
14.x 14.0.0 – 14.2.24 14.2.25
15.x 15.0.0 – 15.1.2 15.1.3

Features

  • ✅ Auto-detects username from current URL
  • ✅ Optional PAT for private repository access
  • ✅ Paginated fetching for large accounts
  • ✅ Clean console output with summary table
  • ✅ Handles edge cases gracefully
  • ✅ Read-only — never modifies repositories

Example Output

🔍 GitHub CVE Scanner
Checking: CVE-2025-55182 (React RSC) & CVE-2025-66478 (Next.js RSC)

👤 username | Mode: Public + Private

📦 Fetching repositories...
📁 42 repositories found

🔍 Scanning... (click to expand)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 RESULTS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

┌─────────┬─────────────────┬────────┬────────┬───────────┬─────────────┬──────────────────────┐
│ (index) │      Repo       │  Next  │ React  │ ReactDOM  │ RSCWebpack  │       Status         │
├─────────┼─────────────────┼────────┼────────┼───────────┼─────────────┼──────────────────────┤
│    0    │ 'my-nextjs-app' │ '14.1' │ '18.2' │  '18.2'   │     '-'     │ '⚠️ CVE-2025-66478'  │
│    1    │ 'react-demo'    │  '-'   │ '19.0' │  '19.0'   │     '-'     │ '⚠️ CVE-2025-55182'  │
│    2    │ 'safe-project'  │ '15.2' │ '19.1' │  '19.1'   │     '-'     │      '✅ Safe'       │
└─────────┴─────────────────┴────────┴────────┴───────────┴─────────────┴──────────────────────┘

📊 Summary:
   Total repos:       42
   With package.json: 38
   Skipped:           4 (no package.json)

⚠️ 2 vulnerable repo(s) found!

✓ Scan complete.

Why This Matters

CVE-2025-55182 and CVE-2025-66478 allow unauthenticated remote code execution through the React Server Components "Flight" protocol. These are critical vulnerabilities requiring immediate patching.

Contributing

Contributions welcome! Ideas for future enhancements:

  • Organization-wide scanning
  • CSV/JSON export
  • Bookmarklet version
  • GitHub Actions integration

Open an issue or submit a PR.

License

MIT

About

Script to quick check CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) - Critical unauthenticated RCE vulnerabilities in the React Server Components (RSC) “Flight” protocol.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • JavaScript 100.0%