react-rsc-vuln-scanner
Version:
CLI tool to scan projects for React Server Components vulnerabilities (CVE-2025-55182, CVE-2025-55184, CVE-2025-55183)
290 lines (216 loc) ā¢ 12.9 kB
Markdown
# š React RSC Vulnerability Scanner
A fast, zero-dependency Node.js CLI tool to scan your projects for React Server Components security vulnerabilities.
```bash
npx react-rsc-vuln-scanner /path/to/your/projects
```
[](https://www.npmjs.com/package/react-rsc-vuln-scanner)
## šØ About the Vulnerabilities
This scanner checks for **three CVEs** affecting React Server Components:
| CVE | Severity | CVSS | Description | Disclosed |
|-----|----------|------|-------------|-----------|
| **CVE-2025-55182** | š“ CRITICAL | 10.0 | Remote Code Execution (React2Shell) | Dec 3, 2025 |
| **CVE-2025-55184** | š HIGH | 7.5 | Denial of Service | Dec 11, 2025 |
| **CVE-2025-55183** | š” MEDIUM | 5.3 | Source Code Exposure | Dec 11, 2025 |
> ā ļø **Important:** The patches for CVE-2025-55182 (versions 19.0.1, 19.1.2, 19.2.1) are vulnerable to the two new CVEs. You must upgrade to **19.0.2, 19.1.3, or 19.2.2** to be fully protected.
**Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if it supports React Server Components.**
### Affected Packages
| Package | Vulnerable Versions | Fixed Versions |
|---------|---------------------|----------------|
| `react-server-dom-webpack` | 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1 | **19.0.2**, **19.1.3**, **19.2.2** |
| `react-server-dom-parcel` | 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1 | **19.0.2**, **19.1.3**, **19.2.2** |
| `react-server-dom-turbopack` | 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1 | **19.0.2**, **19.1.3**, **19.2.2** |
### Affected Frameworks
- **Next.js** ā See patched versions below (Pages Router not affected)
- **React Router** ā If using unstable RSC APIs
- **Waku**
- **@parcel/rsc**
- **@vitejs/plugin-rsc**
- **rwsdk** (Redwood SDK)
### Next.js Patched Versions
From [Vercel's Security Bulletin](https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183):
| Next.js Version | Fixed In |
|-----------------|----------|
| 13.x | Upgrade to **14.2.35** |
| 14.x | **14.2.35** |
| 15.0.x | **15.0.7** |
| 15.1.x | **15.1.11** |
| 15.2.x | **15.2.8** |
| 15.3.x | **15.3.8** |
| 15.4.x | **15.4.10** |
| 15.5.x | **15.5.9** |
| 16.0.x | **16.0.10** |
> **Note:** Next.js Pages Router applications are **not affected**. Only App Router with React Server Components is vulnerable.
## āØ Features
- š **Zero dependencies** ā Pure Node.js, no npm install required
- š **Recursive scanning** ā Scans all subdirectories for Node.js projects
- šÆ **Direct & transitive detection** ā Checks both direct dependencies and flags frameworks that may include vulnerable packages
- šØ **Beautiful CLI output** ā Color-coded results with clear severity indicators
- ā” **Fast** ā Skips `node_modules`, `.git`, `dist`, and other non-essential directories
- š **Detailed reporting** ā Lists all scanned projects and provides actionable upgrade instructions
## š Quick Start
**No installation required!** Run directly with npx:
```bash
npx react-rsc-vuln-scanner /path/to/your/projects
```
That's it! One command to scan all your projects.
## š¦ Alternative Installation
### Global Install (optional)
```bash
npm install -g react-rsc-vuln-scanner
react-rsc-vuln-scanner /path/to/projects
```
### Download Script Directly
```bash
# Clone the repository
git clone https://github.com/yourusername/react-rsc-vuln-scanner.git
node react-rsc-vuln-scanner/scan-react-rsc-vuln.js /path/to/projects
# Or just download the script
curl -O https://raw.githubusercontent.com/yourusername/react-rsc-vuln-scanner/main/scan-react-rsc-vuln.js
node scan-react-rsc-vuln.js /path/to/projects
```
## š Usage Examples
Scan your entire projects directory:
```bash
npx react-rsc-vuln-scanner /Users/username/projects
```
Scan a specific project:
```bash
npx react-rsc-vuln-scanner /Users/username/projects/my-nextjs-app
```
Show help:
```bash
npx react-rsc-vuln-scanner --help
```
## šø Sample Output
```
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
React Server Components Vulnerability Scanner
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Checking for 3 CVEs:
ā¢ CVE-2025-55182 - RCE (CRITICAL, CVSS 10.0)
ā¢ CVE-2025-55184 - Denial of Service (HIGH, CVSS 7.5)
ā¢ CVE-2025-55183 - Source Code Exposure (MEDIUM, CVSS 5.3)
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
References:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
š Scanning for package.json files...
š Scan Directory: /Users/username/projects
š Total Projects Scanned: 15
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š All Scanned Projects:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā¢ my-nextjs-app
ā¢ react-dashboard
ā¢ api-server
...
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
šØ VULNERABLE PACKAGES FOUND:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š my-nextjs-app
Path: /Users/username/projects/my-nextjs-app
ā¢ react-server-dom-webpack@19.1.0 [VULNERABLE]
ā ļø CVE-2025-55182: Remote Code Execution (React2Shell) (CRITICAL, CVSS 10.0)
ā ļø CVE-2025-55184: Denial of Service (HIGH, CVSS 7.5)
ā ļø CVE-2025-55183: Source Code Exposure (MEDIUM, CVSS 5.3)
š§ Upgrade to: 19.0.2 or 19.1.3 or 19.2.2
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā ļø PROJECTS WITH POTENTIALLY AFFECTED FRAMEWORKS:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š react-dashboard
Path: /Users/username/projects/react-dashboard
ā¢ next@15.3.1
Next.js - check if using RSC features
Check fixed versions for your release line
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š SUMMARY
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Total projects scanned: 15
Projects with vulnerable packages: 1
Projects with affected frameworks: 2
ā ļø ACTION REQUIRED:
1. Update vulnerable packages immediately to 19.0.2, 19.1.3, or 19.2.2
2. Check node_modules for transitive dependencies
3. Run `npm ls react-server-dom-webpack` to check nested deps
4. References:
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
```
## š§ How It Works
1. Recursively finds all `package.json` files in the target directory
2. Skips common non-essential directories (`node_modules`, `.git`, `dist`, `build`, `.next`, `.cache`, `coverage`)
3. Parses each `package.json` and checks `dependencies`, `devDependencies`, and `peerDependencies`
4. Identifies directly vulnerable packages with exact version matching
5. Flags projects using frameworks that may include vulnerable packages as transitive dependencies
6. Outputs a comprehensive report with actionable remediation steps
## ā ļø Important Notes
- This tool checks `package.json` files for **declared dependencies**
- For complete security, also check your `node_modules` for **transitive dependencies**:
```bash
npm ls react-server-dom-webpack
npm ls react-server-dom-parcel
npm ls react-server-dom-turbopack
```
- If your app's React code does not use a server, your app is **not affected**
- If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is **not affected**
## š”ļø Remediation
### Direct React RSC Packages
Upgrade to the latest patched versions (**19.0.2**, **19.1.3**, or **19.2.2**):
```bash
# For 19.0.x line
npm install react-server-dom-webpack@19.0.2
npm install react-server-dom-parcel@19.0.2
npm install react-server-dom-turbopack@19.0.2
# For 19.1.x line
npm install react-server-dom-webpack@19.1.3
npm install react-server-dom-parcel@19.1.3
npm install react-server-dom-turbopack@19.1.3
# For 19.2.x line (recommended)
npm install react-server-dom-webpack@19.2.2
npm install react-server-dom-parcel@19.2.2
npm install react-server-dom-turbopack@19.2.2
```
### Next.js
Update to the patched version for your release line (from [Vercel's Security Bulletin](https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183)):
```bash
npm install next@14.2.35 # for 13.x and 14.x
npm install next@15.0.7 # for 15.0.x
npm install next@15.1.11 # for 15.1.x
npm install next@15.2.8 # for 15.2.x
npm install next@15.3.8 # for 15.3.x
npm install next@15.4.10 # for 15.4.x
npm install next@15.5.9 # for 15.5.x
npm install next@16.0.10 # for 16.0.x
```
Or use Vercel's automated fix tool:
```bash
npx fix-react2shell-next
```
## š¤ Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
1. Fork the repository
2. Create your feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add some amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request
## š License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## š References
- [React Security Advisory - RCE (Dec 3, 2025)](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [React Security Advisory - DoS & Source Code Exposure (Dec 11, 2025)](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
- [Vercel Security Bulletin - CVE-2025-55184 & CVE-2025-55183](https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183)
- [CVE-2025-55182](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55182) - Remote Code Execution (CRITICAL)
- [CVE-2025-55184](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55184) - Denial of Service (HIGH)
- [CVE-2025-55183](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55183) - Source Code Exposure (MEDIUM)
## š Acknowledgments
- Thanks to Lachlan Davidson for discovering and responsibly disclosing CVE-2025-55182
- Thanks to Andrew MacPherson (AndrewMohawk) for reporting the Source Code Exposure (CVE-2025-55183)
- Thanks to RyotaK from GMO Flatt Security Inc for reporting the Denial of Service vulnerability (CVE-2025-55184)
- The React team for the rapid response and fixes
---
**ā ļø Disclaimer:** This tool is provided as-is for informational purposes. Always verify findings manually and follow official remediation guidance from the React team and your framework maintainers.