React2Shell Scanner

Subscribe
Download 17
Last updated Dec 7, 2025

User Guide

Detects the Proto Pollution Vulnerability (CVE-2025-55182) in React Server Components

Usage

json "{}" | eval url = "https://target.com" | react2shell-scan-batch
json "{}" | eval url = "https://target.com/api" | react2shell-scan-batch timeout=10

Options

  • field: The field name containing the URL (default: url)
  • timeout: Connection/read timeout in seconds (default: 30)

Output Fields

  • _time: Timestamp of the scan
  • verdict: Vulnerability status (vulnerable / not vulnerable / unknown)
  • status: HTTP response status code
  • raw_data: Raw HTTP response (headers + body)
  • _error: Error message (when the scan fails)

Technical Analysis of the Vulnerability

CVE-2025-55182 (React2Shell) is a Prototype Pollution vulnerability in Next.js’s Server Actions feature. By sending a crafted multipart/form-data request, an attacker can cause React’s Flight protocol parser to deserialize malicious object references, ultimately achieving arbitrary code execution (RCE).

Affected Versions

  • Next.js 15.x ~ 15.1.6
  • Next.js 14.x ~ 14.2.24
  • Next.js 13.x ~ 13.5.8

Attack Mechanism

1. React Server Components (RSC) Flight Protocol

Next.js Server Actions use React’s Flight protocol to serialize/deserialize data between client and server. The Flight protocol uses the $ prefix to represent object references:

$1        → Reference to chunk #1
$@1       → Async reference to chunk #1
$1:then   → Reference to the 'then' property of chunk #1

2. Prototype Pollution Chain

The core of the attack is manipulating the object prototype chain using $ references:

["$1:aa:aa"]  →  attempts to access chunk[1]["aa"]["aa"]
               →  an empty object {} is accessed
               →  accessing non-existent properties triggers prototype chain traversal

3. Gadget Chain Used for RCE

Example RCE gadget:

{
  '_prefix': 'console.log(7*7+1)//',            // Code to execute
  '_formData': {'get': '$3:constructor:constructor'},  // Access the Function constructor
  '_chunks': '$2:_response:_chunks'             // Access internal chunk array
}
  • _prefix: Injected JavaScript code
  • _formData.get: Access to Function constructor → arbitrary code execution
  • _chunks: Internal state manipulation

Detection Method

The scanner detects vulnerability without executing real code.

Payload

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

{}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

["$1:aa:aa"]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

HTTP Request

POST / HTTP/1.1
Host: target.com
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad

[multipart body]

Vulnerable Response Indicators

  1. HTTP status code is 500
  2. Response body contains pattern E{"digest"

Internal Behavior

1. Next.js receives the Server Action request.
2. Flight parser processes multipart data.
3. name="0" part attempts to deserialize ["$1:aa:aa"].
4. $1 refers to name="1", which contains an empty object {}.
5. Accessing {}.aa.aa fails → prototype chain traversal occurs.
6. Missing property triggers an internal error.
7. The error is returned in the form `E{"digest": ...}`.

A vulnerable server produces this characteristic error due to the prototype chain traversal failure.

Security Recommendations

Upgrade to a Patched Version

  • Next.js 15.1.7 or later
  • Next.js 14.2.25 or later
  • Next.js 13.5.9 or later

Mitigation Measures

  • Disable Server Actions (experimental.serverActions: false)
  • Block requests containing the Next-Action header at the WAF layer
  • Netlify/Vercel users receive automatic patches

References