Skip to content

pnndrs/react-rsc-cve-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
core
core
 
 
cves
cves
 
 
utils
utils
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
scanner.py
scanner.py
 
 

Repository files navigation

React RSC CVE Scanner

Safe, behavior-based security verification tool for React Server Components (RSC).

Purpose and Scope

This repository contains an internal-grade application security scanner designed to assess the likelihood of known React Server Components (RSC) vulnerabilities in deployed web applications.

The scanner relies on observable protocol behavior, response characteristics, and partial version context. It does not attempt exploitation, payload execution, or denial-of-service. Results are probabilistic by design and intended to support engineering and security decision-making.

This tool is not a penetration testing framework.

Explicit Warnings

Non-Exploitation Policy

This scanner intentionally avoids:

  • remote code execution
  • memory corruption
  • intentional denial-of-service
  • data exfiltration
  • state-altering requests

All checks are designed to be read-only or minimally interactive.

Authorization Requirement

Only scan systems you own or are explicitly authorized to test. This tool makes assumptions about legitimate internal use.

Design Philosophy

The scanner is built around the following principles:

  • High signal, low noise
  • Deterministic execution
  • No stealth or obfuscation
  • Explainable results
  • Explicit handling of uncertainty

The goal is to answer:

"Based on observable behavior and version context, is this application likely affected by a known RSC vulnerability?"

High-Level Architecture

The scanner consists of four main stages:

  1. Target normalization and reachability probing
  2. RSC endpoint discovery
  3. Contextual fingerprinting
  4. CVE-specific verification modules

Each CVE is implemented as an independent detector with its own scoring logic.

Endpoint Discovery

The scanner attempts to identify React Server Component / Flight endpoints using:

  • HTML parsing of the root document
  • Heuristics for RSC- and Next.js-related paths
  • Content-Type negotiation using Accept: text/x-component
  • Known RSC response markers (react.flight, __rsc)

Discovery is capped to a small number of endpoints to avoid excessive traffic.

Contextual Fingerprinting

Before CVE checks are executed, the scanner builds a context object containing:

  • Target reachability status
  • HTTP response headers
  • CDN / WAF indicators (Cloudflare, Akamai, Fastly)
  • Discovered RSC endpoints
  • Partial React version inference (best-effort)

The presence of a CDN or WAF explicitly downgrades result confidence.

Detection Model

Each CVE returns:

  • status:
    • NOT_DETECTED
    • POSSIBLE
    • LIKELY
    • INCONCLUSIVE
    • UNKNOWN
  • confidence score (0–100)
  • explanation containing structured reasons

Results are designed to be human-interpretable and machine-consumable.

Covered Vulnerabilities

CVE ID Title Severity Component
CVE-2025-55182 React2Shell / Insecure RSC Deserialization Critical React Server Components
CVE-2025-55184 React RSC Recursive Resolution DoS High React Server Components
CVE-2025-67779 React RSC DoS / Incomplete Fix Variant High React Server Components
CVE-2025-55183 Server Function Source Code Exposure Medium React Server Components

CVE Detection Notes

CVE-2025-55182

Detection is based on:

  • RSC endpoint behavior
  • RSC-specific response markers
  • Deserialization error patterns (optional, staging-only)
  • React version context

No executable payloads are sent.

CVE-2025-55184 / CVE-2025-67779

Detection is based on:

  • Response timing anomalies
  • Error behavior under RSC content negotiation
  • Known regression patterns

Requests are bounded and non-exhaustive.

CVE-2025-55183

Detection is based on:

  • Response content patterns on RSC endpoints
  • Observable source disclosure characteristics
  • HTTP status behavior

Configuration

The scanner supports optional YAML configuration.

Example:

staging_only: true headers: Authorization: Bearer REDACTED cookies: session: REDACTED

The staging_only flag enables additional benign validation checks intended only for non-production systems.

Execution

Interactive: python scanner.py

Direct: python scanner.py https://example.com

JSON output: python scanner.py https://example.com --json

With configuration: python scanner.py https://example.com --config config.yaml

Limitations

  • False negatives are possible
  • CDN/WAFs may mask behavior
  • Version fingerprinting is best-effort
  • Results do not imply exploitability

Interpret results in context.

Intended Audience

  • Application security engineers
  • Platform engineers
  • React / Next.js maintainers
  • Security-conscious development teams

This tool is designed for internal use in controlled environments.

About

behavior based cve detection for react server components

Topics

react nextjs application-security cve appsec vulnerability-scanners rsc internal-tooling security-research security-tooling turbopack react-server-components react-security

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages