react2shell-guard

Security scanner for CVE-2025-55182 - a critical (CVSS 10.0) unauthenticated Remote Code Execution vulnerability in React Server Components.

⚠️ DISCLAIMER

This is a security scanner, NOT an exploit tool. It is designed to help developers and security teams identify vulnerable dependencies in their projects.

This is a community-driven open source project provided "AS IS" without warranty of any kind, express or implied. The authors and contributors are not responsible for any damages or security incidents arising from the use of this tool.

Use at your own risk and responsibility. Always verify findings manually and follow your organization's security policies. If you discover any issues, bugs, or have suggestions, please contribute back to help improve the project for everyone.

🤝 CONTRIBUTORS WANTED

This project is actively looking for testers and contributors! Whether you want to report bugs, suggest features, improve documentation, or submit code - all contributions are welcome. Check out our Contributing Guide to get started.

Quick Start

1. Instant Scan (No Installation)

The fastest way to check if your project is vulnerable:

npx react2shell-guard .

That's it! This will scan your current directory and show results immediately.

2. Scan a Specific Project

npx react2shell-guard /path/to/your/project

3. Auto-Fix Vulnerabilities

Found vulnerabilities? Fix them automatically:

# Preview what will be changed
npx react2shell-guard fix --dry-run

# Apply fixes
npx react2shell-guard fix

# Apply fixes and reinstall dependencies
npx react2shell-guard fix --install

4. Scan Live URLs

Check if a deployed application is vulnerable:

npx react2shell-guard scan-url https://your-app.com

5. Verify Patch Was Applied

Confirm your deployed fix is working:

npx react2shell-guard verify-patch https://your-app.com

6. Scan Container Images

Check if your Docker images contain vulnerable packages:

npx react2shell-guard scan-image myapp:latest

7. Create Fix PR (GitHub)

Automatically create a GitHub PR to fix vulnerabilities:

npx react2shell-guard create-pr --dry-run  # Preview
npx react2shell-guard create-pr            # Create PR

What is CVE-2025-55182?

CVE-2025-55182 is a critical pre-auth RCE vulnerability affecting React Server Components (RSC) and frameworks using the RSC "Flight" protocol. The vulnerability is caused by unsafe deserialization of RSC payloads, allowing attackers to execute arbitrary code on affected servers.

Affected Packages:

• react-server-dom-webpack 19.0.0, 19.1.0-19.1.1, 19.2.0
• react-server-dom-parcel (same versions)
• react-server-dom-turbopack (same versions)
• next 15.0.0-15.0.4, 15.1.0-15.1.8, 15.2.0-15.2.5, 15.3.0-15.3.5, 15.4.0-15.4.7, 15.5.0-15.5.6, 16.0.0-16.0.6

More Information:

• React Security Advisory
• Wiz Research

Installation (Optional)

For frequent use, install globally:

npm install -g react2shell-guard

Then use without npx:

react2shell-guard .

Usage Guide

Basic Scanning

# Scan current directory
react2shell-guard .

# Scan specific directory
react2shell-guard /path/to/project

# Scan and ignore certain paths
react2shell-guard . --ignore-path "examples/**" "test/**"

Output Formats

# Human-readable text (default)
react2shell-guard .

# JSON output (for scripting)
react2shell-guard . --json

# SARIF output (for GitHub Security tab)
react2shell-guard . --sarif

# HTML report (standalone, shareable)
react2shell-guard . --html report.html

CLI Options

Exit Codes

Live URL Scanning

Scan live endpoints to detect if they are vulnerable:

# Scan a single URL
react2shell-guard scan-url https://example.com

# Batch scan from a file (one URL per line)
react2shell-guard scan-url urls.txt --list

# With options
react2shell-guard scan-url https://example.com --timeout 5000 --json

URL Scanner Options

Patch Verification

Verify if a target has been patched against the vulnerability:

# Verify patch status (runs multiple scans for accuracy)
react2shell-guard verify-patch https://example.com

# With JSON output
react2shell-guard verify-patch https://example.com --json

Verification Options

Container Image Scanning

Scan Docker/OCI container images for vulnerable packages:

# Scan a local or remote image
react2shell-guard scan-image myapp:latest

# Scan from a registry
react2shell-guard scan-image registry.example.com/myapp:v1.0

# Skip pulling (use local image only)
react2shell-guard scan-image myapp:latest --skip-pull

# With JSON output
react2shell-guard scan-image myapp:latest --json

# With SARIF output
react2shell-guard scan-image myapp:latest --sarif

Container Scanner Options

Requirements:

• Docker must be installed and running
• Sufficient disk space for image extraction

Vercel Deployment Integration

Block vulnerable deployments before they reach production:

# Run as part of your build command
react2shell-guard vercel-check

# In package.json
{
  "scripts": {
    "vercel-build": "react2shell-guard vercel-check && next build"
  }
}

# Or in vercel.json
{
  "buildCommand": "npx react2shell-guard vercel-check && npm run build"
}

Vercel Check Options

GitHub PR Automation

Automatically create a pull request to fix vulnerabilities:

# Preview what will be done
react2shell-guard create-pr --dry-run

# Create branch and PR
react2shell-guard create-pr

# Create branch but don't push/create PR
react2shell-guard create-pr --no-push

# Custom branch name
react2shell-guard create-pr --branch fix/security-update

Create PR Options

Requirements:

• GitHub CLI (gh) must be installed and authenticated
• Must be in a git repository with a remote

Example Output

react2shell-guard - CVE-2025-55182 Scanner
──────────────────────────────────────────────────

Scanned 1 project(s)

✗ my-app [VULNERABLE]
  Path: /path/to/my-app
  Framework: nextjs v15.2.1
  App Router: Yes (RSC enabled)

  Vulnerabilities found:
    - react-server-dom-webpack @ 19.1.0
      Upgrade to: 19.1.2
      Advisory: https://react.dev/blog/2025/12/03/...
    - next @ 15.2.1
      Upgrade to: 15.2.6
      Advisory: https://react.dev/blog/2025/12/03/...

──────────────────────────────────────────────────
VULNERABLE - Action required!
Upgrade affected packages to patched versions immediately.

GitHub Actions Integration

Basic Usage

name: Security Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install react2shell-guard
        run: npm install -g react2shell-guard

      - name: Scan for vulnerabilities
        run: react2shell-guard .

With SARIF Upload

name: Security Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write

    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install react2shell-guard
        run: npm install -g react2shell-guard

      - name: Scan and generate SARIF
        run: react2shell-guard . --sarif > results.sarif
        continue-on-error: true

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

      - name: Fail on vulnerabilities
        run: react2shell-guard .

Supported Package Managers

react2shell-guard automatically detects and parses lockfiles from:

• npm - package-lock.json (v2 and v3 formats)
• pnpm - pnpm-lock.yaml
• yarn - yarn.lock (Classic and Berry formats)

Features

• Fast scanning - Analyzes lockfiles directly, no need to install dependencies
• Monorepo support - Automatically discovers and scans all projects
• Framework detection - Identifies Next.js and App Router usage
• Multiple output formats - Text, JSON, SARIF, and HTML reports
• CI/CD ready - Exit codes and GitHub Actions integration
• Zero network calls - Works completely offline
• Auto-fix - Automatically update vulnerable dependencies
• Pre-commit hooks - Block commits with vulnerable dependencies
• SBOM scanning - Scan CycloneDX SBOM files
• MCP integration - AI assistant support via Model Context Protocol
• Runtime protection - Express.js/Next.js middleware for defense-in-depth
• Live URL scanning - Scan deployed applications for vulnerabilities
• Container scanning - Scan Docker/OCI images for vulnerable packages
• Vercel integration - Block vulnerable deployments before production
• GitHub PR automation - Auto-create fix PRs with one command

Auto-Fix Vulnerabilities

Automatically update your package.json to use patched versions:

# Preview changes (dry run)
react2shell-guard fix --dry-run

# Apply fixes
react2shell-guard fix

# Apply fixes and run npm/pnpm/yarn install
react2shell-guard fix --install

Pre-Commit Hooks

Install git hooks to prevent committing vulnerable dependencies:

# Auto-detect hook framework and install
react2shell-guard init-hooks

# Preview what would be installed
react2shell-guard init-hooks --dry-run

# Force specific hook type
react2shell-guard init-hooks --hook-type husky
react2shell-guard init-hooks --hook-type lefthook
react2shell-guard init-hooks --hook-type standalone

Supported hook frameworks:

• Husky - Appends to .husky/pre-commit
• Lefthook - Creates/updates lefthook.yml
• Standalone - Creates .git/hooks/pre-commit

The hook will block commits when package.json contains vulnerable dependencies and suggest running react2shell-guard fix to remediate.

SBOM Scanning

Scan CycloneDX SBOM files for vulnerabilities:

# Scan a CycloneDX SBOM
react2shell-guard scan-sbom bom.json

# With JSON output
react2shell-guard scan-sbom bom.json --json

# With SARIF output
react2shell-guard scan-sbom bom.json --sarif

MCP Server (AI Assistant Integration)

Start the Model Context Protocol server for AI assistant integration:

react2shell-guard mcp-server

Available MCP tools:

• scan_repo - Scan a repository for vulnerabilities
• scan_sbom - Scan a CycloneDX SBOM file

Configure with MCP-compatible clients (example configuration):

{
  "mcpServers": {
    "react2shell-guard": {
      "command": "npx",
      "args": ["react2shell-guard", "mcp-server"]
    }
  }
}

Runtime Protection Middleware

Defense-in-depth middleware that detects and blocks CVE-2025-55182 exploit attempts at runtime.

Express.js

import express from 'express';
import { createExpressMiddleware } from 'react2shell-guard/middleware';

const app = express();

// Add raw body parser for RSC payloads
app.use(express.raw({ type: 'text/x-component' }));
app.use(express.json());

// Add protection middleware
app.use(createExpressMiddleware({
  action: 'block',  // 'block' | 'log' | 'alert'
  onAlert: (result, req) => {
    // Send to your alerting system (Slack, PagerDuty, etc.)
    console.error('CVE-2025-55182 exploit attempt:', result);
  },
  skipPaths: ['/health', '/metrics'],
}));

Next.js

// middleware.ts
import { withReact2ShellGuard } from 'react2shell-guard/middleware';

export const middleware = withReact2ShellGuard({
  action: 'block',
  rscEndpointsOnly: true,  // Only check RSC endpoints (recommended)
});

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
};

Detected patterns:

• Serialized function injection
• Prototype pollution attempts
• Malformed module references
• Server action tampering
• Encoded malicious payloads
• RSC streaming format abuse

API Usage

import { scan } from 'react2shell-guard';

const result = scan({
  path: '/path/to/project',
  ignorePaths: ['examples/**'],
  debug: false,
});

console.log(result.vulnerable); // boolean
console.log(result.projects);   // ProjectResult[]

JSON Output Schema

{
  "cve": "CVE-2025-55182",
  "vulnerable": true,
  "scanTime": "2025-12-04T10:30:00Z",
  "projects": [
    {
      "name": "my-app",
      "path": "/path/to/my-app",
      "framework": {
        "type": "nextjs",
        "version": "15.2.1",
        "appRouterDetected": true
      },
      "findings": [
        {
          "package": "react-server-dom-webpack",
          "currentVersion": "19.1.0",
          "fixedVersion": "19.1.2",
          "severity": "critical",
          "advisoryUrl": "https://..."
        }
      ],
      "vulnerable": true
    }
  ],
  "errors": []
}

Remediation

Automatic fix (recommended):

react2shell-guard fix --install

Manual upgrade - React packages:

npm install react-server-dom-webpack@19.1.2  # or 19.0.1, 19.2.1

Manual upgrade - Next.js:

npm install next@15.2.6  # or other patched version for your release line

Fixed Next.js versions by release line:

• 15.0.x → 15.0.5
• 15.1.x → 15.1.9
• 15.2.x → 15.2.6
• 15.3.x → 15.3.6
• 15.4.x → 15.4.8
• 15.5.x → 15.5.7
• 16.0.x → 16.0.7

Development

# Install dependencies
npm install

# Build
npm run build

# Run tests
npm test

# Run in development mode
npm run dev

License

MIT