Merge pull request #1653 from HackTricks-wiki/update_CVE-2025-55182___CVE-2025-66478_React2Shell___All__20251209_020825

CVE-2025-55182 & CVE-2025-66478 React2Shell – All You Need t...

Author: carlospolop

src/network-services-pentesting/pentesting-web/nextjs.md

@@ -1362,10 +1362,45 @@ Next.js App Router deployments that expose Server Actions on `react-server-dom-w
 }
 ```
 
+#### Mapping React Server Function exposure
+
+React Server Functions (RSF) are any functions that include the `'use server';` directive. Every form action, mutation, or fetch helper bound to one of those functions becomes an RSC Flight endpoint that will happily deserialize attacker-supplied payloads. Useful recon steps derived from React2Shell assessments:
+
+- **Static inventory:** look for the directive to understand how many RSFs are being automatically exposed by the framework.
+
+```bash
+rg -n "'use server';" -g"*.{js,ts,jsx,tsx}" app/
+```
+
+- **App Router defaults:** `create-next-app` enables the App Router + `app/` directory by default, which silently turns every route into an RSC-capable endpoint. App Router assets such as `/_next/static/chunks/app/` or responses that stream Flight chunks over `text/x-component` are strong Internet-facing fingerprints.
+- **Implicitly vulnerable RSC deployments:** React’s own advisory notes that apps shipping the RSC runtime can be exploitable **even without explicit RSFs**, so treat any build using `react-server-dom-*` 19.0.0–19.2.0 as suspect.
+- **Other frameworks bundling RSC:** Vite RSC, Parcel RSC, React Router RSC preview, RedwoodSDK, Waku, etc. reuse the same serializer and inherit the identical remote attack surface until they embed patched React builds.
+
+#### Version coverage (React2Shell)
+
+- `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`: **vulnerable** in 19.0.0, 19.1.0–19.1.1 and 19.2.0; **patched** in 19.0.1, 19.1.2 and 19.2.1 respectively.
+- **Next.js stable:** App Router releases 15.0.0–16.0.6 embed the vulnerable RSC stack. Patch trains 15.0.5 / 15.1.9 / 15.2.6 / 15.3.6 / 15.4.8 / 15.5.7 / 16.0.7 include fixed deps, so any build below those versions is high-value.
+- **Next.js canary:** `14.3.0-canary.77+` also ships the buggy runtime and currently lacks patched canary drops, making those fingerprints strong exploitation candidates.
+
+#### Remote detection oracle
+
+Assetnote’s [`react2shell-scanner`](https://github.com/assetnote/react2shell-scanner) sends a crafted multipart Flight request to candidate paths and watches server-side behavior:
+
+- **Default mode** executes a deterministic RCE payload (math operation reflected via `X-Action-Redirect`) proving code execution.
+- **`--safe-check` mode** purposefully malforms the Flight message so patched servers return `200/400`, while vulnerable targets emit `HTTP/500` responses containing the `E{"digest"` substring inside the body. That `(500 + digest)` pair is currently the most reliable remote oracle published by defenders.
+- Built-in `--waf-bypass`, `--vercel-waf-bypass`, and `--windows` switches adjust payload layout, prepend junk, or swap OS commands so you can probe real Internet assets.
+
+```bash
+python3 scanner.py -u https://target.tld --path /app/api/submit --safe-check
+python3 scanner.py -l hosts.txt -t 20 --waf-bypass -o vulnerable.json
+```
+
 ## References
 
 - [Pentesting Next.js Server Actions — A Burp Extension for Hash-to-Function Mapping](https://www.adversis.io/blogs/pentesting-next-js-server-actions)
 - [NextjsServerActionAnalyzer (Burp extension)](https://github.com/Adversis/NextjsServerActionAnalyzer)
 - [CVE-2025-55182 React Server Components Remote Code Execution Exploit Tool](https://github.com/Spritualkb/CVE-2025-55182-exp)
+- [CVE-2025-55182 & CVE-2025-66478 React2Shell – All You Need to Know](https://jfrog.com/blog/2025-55182-and-2025-66478-react2shell-all-you-need-to-know/)
+- [assetnote/react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
 
 {{#include ../../banners/hacktricks-training.md}}