CVE-2025-55182

Next.js RCE Scanner

Quick vulnerability check for React Server Components

cve-shield.dev — Web interface for Assetnote's react2shell-scanner

CVE-2025-55182 & CVE-2025-66478

Quick Scan for Next.js RCE Vulnerabilities

No CLI install needed. Quickly check your Next.js apps for React Server Components vulnerabilities using Assetnote's detection methodology. Built with Claude Opus 4.5.

Scan Now Get the CLI

react2shell-scanner (Assetnote)

$python scanner.py -u https://target.com --safe

[*] React2Shell Scanner v1.0.0

[*] Scanning https://target.com...

[*] Testing path: /

[+] Vulnerable! CVE-2025-55182 detected

[*] Response header: X-Action-Redirect: /login?a=11111

This web version implements the same detection logic. For full features, use the original CLI tool.

Live Vulnerability Scanner

Instantly detect CVE-2025-55182 & CVE-2025-66478 in Next.js applications

5/5scans this hour

Which scan mode should I use?

Safe Check Mode (Recommended)

Sends malformed action ID to trigger error response. Detects vulnerability via 500 status + error digest. No code is executed on target.

RCE Verification Mode

Sends actual payload (41x271=11111) and checks for output. Confirms code execution capability. Only use on authorized targets.

Note: A target can be "Safe Check Vulnerable" but "RCE Safe" if the parsing flaw exists but execution is blocked (partial patch, WAF, or middleware). The vulnerability still needs patching as it may be chainable with other exploits.

Scan Target

Enter URL to scan for RSC vulnerabilities

One URL per line for bulk scanning

Scan Settings

Safe Check Mode

WAF Bypass Mode

Safe mode: Will detect vulnerability without code execution

Results

No scans yet

Enter a URL above to begin

10/10

CVSS Score

Critical Severity

100K+

Apps at Risk

Next.js deployments

<1s

Scan Time

Per target

Zero

False Positives

High fidelity detection

How It Works

Same detection methodology as Assetnote's scanner

Safe Check Mode

Detect vulnerabilities using side-channel indicators without executing code on targets.

WAF Bypass

Built-in techniques to bypass WAF content inspection that only analyzes initial request portions.

High Fidelity

Zero false positives with deterministic math operation verification (41×271=11111).

Bulk Scanning

Scan multiple targets at once. Enter one URL per line for batch checks.

Full CLI Available

Need threading, proxies, or advanced features? Use the original Assetnote CLI tool.

Copy Results

Easily copy scan results for reporting, documentation, or further analysis.

For production security, use the original CLI tool.