Critical Vulnerability Scanner • By Hadrian

Detect CVE-2025-55182 in React Server Components

Check if your Next.js application is vulnerable to the pre-authentication Remote Code Execution vulnerability in React Server Components.

Vulnerability Scanner

Enter a URL to scan for CVE-2025-55182 (React2Shell) and CVE-2025-66478 RCE vulnerabilities

About CVE-2025-55182 (React2Shell)

🎯

What is it?

CVE-2025-55182, also known as React2Shell, is a critical pre-authentication Remote Code Execution (RCE) vulnerability caused by unsafe deserialization in the React Server Components "Flight" protocol. This vulnerability affects React and Next.js applications using Server Components.

⚠️

Affected Versions

React: 19.0.0, 19.1.0, 19.1.1, 19.2.0
Next.js: 15.x, 16.x (App Router)
🔍

Detection Method

This scanner sends a deliberately malformed RSC payload and checks for the vulnerability signature (HTTP 500 + E{"digest" response), using the detection method developed by Hadrian.

📊

CVSS Score

9.8 Critical

Remediation Guide

✅ Fixed Versions

React
19.0.1 19.1.2 19.2.1
Next.js
15.0.5 15.1.9 15.2.6 15.3.6 15.4.8 15.5.7 16.0.7

🔧 Remediation Steps

  1. 1
    Update Dependencies npm update react react-dom next
  2. 2
    Verify Versions npm list react next
  3. 3
    Rebuild & Redeploy

    Clear caches and redeploy your application with the patched versions.