# 🔍 React RSC Vulnerability Scanner A fast, zero-dependency Node.js CLI tool to scan your projects for React Server Components security vulnerabilities. ```bash npx react-rsc-vuln-scanner /path/to/your/projects ``` ![Node.js](https://img.shields.io/badge/Node.js-18+-339933?logo=node.js&logoColor=white) ![License](https://img.shields.io/badge/License-MIT-blue) ![CVE](https://img.shields.io/badge/CVE--2025--55182-CRITICAL-red) ![CVE](https://img.shields.io/badge/CVE--2025--55184-HIGH-orange) ![CVE](https://img.shields.io/badge/CVE--2025--55183-MEDIUM-yellow) [![npm](https://img.shields.io/npm/v/react-rsc-vuln-scanner)](https://www.npmjs.com/package/react-rsc-vuln-scanner) ## 🚨 About the Vulnerabilities This scanner checks for **three CVEs** affecting React Server Components: | CVE | Severity | CVSS | Description | Disclosed | |-----|----------|------|-------------|-----------| | **CVE-2025-55182** | 🔴 CRITICAL | 10.0 | Remote Code Execution (React2Shell) | Dec 3, 2025 | | **CVE-2025-55184** | 🟠 HIGH | 7.5 | Denial of Service | Dec 11, 2025 | | **CVE-2025-55183** | 🟡 MEDIUM | 5.3 | Source Code Exposure | Dec 11, 2025 | > ⚠️ **Important:** The patches for CVE-2025-55182 (versions 19.0.1, 19.1.2, 19.2.1) are vulnerable to the two new CVEs. You must upgrade to **19.0.2, 19.1.3, or 19.2.2** to be fully protected. **Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if it supports React Server Components.** ### Affected Packages | Package | Vulnerable Versions | Fixed Versions | |---------|---------------------|----------------| | `react-server-dom-webpack` | 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1 | **19.0.2**, **19.1.3**, **19.2.2** | | `react-server-dom-parcel` | 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1 | **19.0.2**, **19.1.3**, **19.2.2** | | `react-server-dom-turbopack` | 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1 | **19.0.2**, **19.1.3**, **19.2.2** | ### Affected Frameworks - **Next.js** — See patched versions below (Pages Router not affected) - **React Router** — If using unstable RSC APIs - **Waku** - **@parcel/rsc** - **@vitejs/plugin-rsc** - **rwsdk** (Redwood SDK) ### Next.js Patched Versions From [Vercel's Security Bulletin](https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183): | Next.js Version | Fixed In | |-----------------|----------| | 13.x | Upgrade to **14.2.35** | | 14.x | **14.2.35** | | 15.0.x | **15.0.7** | | 15.1.x | **15.1.11** | | 15.2.x | **15.2.8** | | 15.3.x | **15.3.8** | | 15.4.x | **15.4.10** | | 15.5.x | **15.5.9** | | 16.0.x | **16.0.10** | > **Note:** Next.js Pages Router applications are **not affected**. Only App Router with React Server Components is vulnerable. ## ✨ Features - 🚀 **Zero dependencies** — Pure Node.js, no npm install required - 📁 **Recursive scanning** — Scans all subdirectories for Node.js projects - 🎯 **Direct & transitive detection** — Checks both direct dependencies and flags frameworks that may include vulnerable packages - 🎨 **Beautiful CLI output** — Color-coded results with clear severity indicators - ⚡ **Fast** — Skips `node_modules`, `.git`, `dist`, and other non-essential directories - 📊 **Detailed reporting** — Lists all scanned projects and provides actionable upgrade instructions ## 🚀 Quick Start **No installation required!** Run directly with npx: ```bash npx react-rsc-vuln-scanner /path/to/your/projects ``` That's it! One command to scan all your projects. ## 📦 Alternative Installation ### Global Install (optional) ```bash npm install -g react-rsc-vuln-scanner react-rsc-vuln-scanner /path/to/projects ``` ### Download Script Directly ```bash # Clone the repository git clone https://github.com/yourusername/react-rsc-vuln-scanner.git node react-rsc-vuln-scanner/scan-react-rsc-vuln.js /path/to/projects # Or just download the script curl -O https://raw.githubusercontent.com/yourusername/react-rsc-vuln-scanner/main/scan-react-rsc-vuln.js node scan-react-rsc-vuln.js /path/to/projects ``` ## 📖 Usage Examples Scan your entire projects directory: ```bash npx react-rsc-vuln-scanner /Users/username/projects ``` Scan a specific project: ```bash npx react-rsc-vuln-scanner /Users/username/projects/my-nextjs-app ``` Show help: ```bash npx react-rsc-vuln-scanner --help ``` ## 📸 Sample Output ``` ══════════════════════════════════════════════════════════════════════ React Server Components Vulnerability Scanner ══════════════════════════════════════════════════════════════════════ Checking for 3 CVEs: • CVE-2025-55182 - RCE (CRITICAL, CVSS 10.0) • CVE-2025-55184 - Denial of Service (HIGH, CVSS 7.5) • CVE-2025-55183 - Source Code Exposure (MEDIUM, CVSS 5.3) ────────────────────────────────────────────────────────────────────── References: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components 🔍 Scanning for package.json files... 📂 Scan Directory: /Users/username/projects 📊 Total Projects Scanned: 15 ────────────────────────────────────────────────────────────────────── 📋 All Scanned Projects: ────────────────────────────────────────────────────────────────────── • my-nextjs-app • react-dashboard • api-server ... ────────────────────────────────────────────────────────────────────── 🚨 VULNERABLE PACKAGES FOUND: ────────────────────────────────────────────────────────────────────── 📁 my-nextjs-app Path: /Users/username/projects/my-nextjs-app • react-server-dom-webpack@19.1.0 [VULNERABLE] ⚠️ CVE-2025-55182: Remote Code Execution (React2Shell) (CRITICAL, CVSS 10.0) ⚠️ CVE-2025-55184: Denial of Service (HIGH, CVSS 7.5) ⚠️ CVE-2025-55183: Source Code Exposure (MEDIUM, CVSS 5.3) 🔧 Upgrade to: 19.0.2 or 19.1.3 or 19.2.2 ────────────────────────────────────────────────────────────────────── ⚠️ PROJECTS WITH POTENTIALLY AFFECTED FRAMEWORKS: ────────────────────────────────────────────────────────────────────── 📁 react-dashboard Path: /Users/username/projects/react-dashboard • next@15.3.1 Next.js - check if using RSC features Check fixed versions for your release line ══════════════════════════════════════════════════════════════════════ 📈 SUMMARY ══════════════════════════════════════════════════════════════════════ Total projects scanned: 15 Projects with vulnerable packages: 1 Projects with affected frameworks: 2 ⚠️ ACTION REQUIRED: 1. Update vulnerable packages immediately to 19.0.2, 19.1.3, or 19.2.2 2. Check node_modules for transitive dependencies 3. Run `npm ls react-server-dom-webpack` to check nested deps 4. References: - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components - https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components ``` ## 🔧 How It Works 1. Recursively finds all `package.json` files in the target directory 2. Skips common non-essential directories (`node_modules`, `.git`, `dist`, `build`, `.next`, `.cache`, `coverage`) 3. Parses each `package.json` and checks `dependencies`, `devDependencies`, and `peerDependencies` 4. Identifies directly vulnerable packages with exact version matching 5. Flags projects using frameworks that may include vulnerable packages as transitive dependencies 6. Outputs a comprehensive report with actionable remediation steps ## ⚠️ Important Notes - This tool checks `package.json` files for **declared dependencies** - For complete security, also check your `node_modules` for **transitive dependencies**: ```bash npm ls react-server-dom-webpack npm ls react-server-dom-parcel npm ls react-server-dom-turbopack ``` - If your app's React code does not use a server, your app is **not affected** - If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is **not affected** ## 🛡️ Remediation ### Direct React RSC Packages Upgrade to the latest patched versions (**19.0.2**, **19.1.3**, or **19.2.2**): ```bash # For 19.0.x line npm install react-server-dom-webpack@19.0.2 npm install react-server-dom-parcel@19.0.2 npm install react-server-dom-turbopack@19.0.2 # For 19.1.x line npm install react-server-dom-webpack@19.1.3 npm install react-server-dom-parcel@19.1.3 npm install react-server-dom-turbopack@19.1.3 # For 19.2.x line (recommended) npm install react-server-dom-webpack@19.2.2 npm install react-server-dom-parcel@19.2.2 npm install react-server-dom-turbopack@19.2.2 ``` ### Next.js Update to the patched version for your release line (from [Vercel's Security Bulletin](https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183)): ```bash npm install next@14.2.35 # for 13.x and 14.x npm install next@15.0.7 # for 15.0.x npm install next@15.1.11 # for 15.1.x npm install next@15.2.8 # for 15.2.x npm install next@15.3.8 # for 15.3.x npm install next@15.4.10 # for 15.4.x npm install next@15.5.9 # for 15.5.x npm install next@16.0.10 # for 16.0.x ``` Or use Vercel's automated fix tool: ```bash npx fix-react2shell-next ``` ## 🤝 Contributing Contributions are welcome! Please feel free to submit a Pull Request. 1. Fork the repository 2. Create your feature branch (`git checkout -b feature/amazing-feature`) 3. Commit your changes (`git commit -m 'Add some amazing feature'`) 4. Push to the branch (`git push origin feature/amazing-feature`) 5. Open a Pull Request ## 📄 License This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. ## 🔗 References - [React Security Advisory - RCE (Dec 3, 2025)](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) - [React Security Advisory - DoS & Source Code Exposure (Dec 11, 2025)](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) - [Vercel Security Bulletin - CVE-2025-55184 & CVE-2025-55183](https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183) - [CVE-2025-55182](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55182) - Remote Code Execution (CRITICAL) - [CVE-2025-55184](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55184) - Denial of Service (HIGH) - [CVE-2025-55183](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55183) - Source Code Exposure (MEDIUM) ## 💖 Acknowledgments - Thanks to Lachlan Davidson for discovering and responsibly disclosing CVE-2025-55182 - Thanks to Andrew MacPherson (AndrewMohawk) for reporting the Source Code Exposure (CVE-2025-55183) - Thanks to RyotaK from GMO Flatt Security Inc for reporting the Denial of Service vulnerability (CVE-2025-55184) - The React team for the rapid response and fixes --- **⚠️ Disclaimer:** This tool is provided as-is for informational purposes. Always verify findings manually and follow official remediation guidance from the React team and your framework maintainers.