Skip to content

Add RSC digest RCE scanner for CVE-2025-55182 and CVE-2025-66478 #20756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
inwpu wants to merge 1 commit into from
Closed

Add RSC digest RCE scanner for CVE-2025-55182 and CVE-2025-66478 #20756

inwpu wants to merge 1 commit into from
+330 −0

Conversation

@inwpu
Copy link

@inwpu inwpu commented Dec 8, 2025
edited
Loading

Related issue: #20745

Summary

This PR adds a new auxiliary scanner module to detect React Server Components (RSC)
digest exposure vulnerabilities related to:

The module performs safe and non-destructive detection by sending a controlled RSC
multipart payload and checking for digest reflection in the HTTP response.
No command execution is performed during scanning.

Included Files

  • auxiliary/scanner/http/rsc_digest_cve_2025_dual.rb
  • docs/rsc_digest_cve_2025_dual.md

Features

  • Dual CVE detection logic
  • Safe payload (no OS command execution)
  • Works on both ports:
    • 3000 → React2Shell (CVE-2025-55182)
    • 3001 → Next.js RSC (CVE-2025-66478)
  • Verified against a self-built vulnerable lab environment

Testing

  • Tested against local Docker lab
  • Verified vulnerable detection on:
    • 127.0.0.1:3000
    • 127.0.0.1:3001

Author

hxorz
[email protected]

@inwpu
Copy link
Author

inwpu commented Dec 8, 2025

Hi maintainers,
this PR adds a new auxiliary scanner that detects RSC digest-based RCE for both CVE-2025-55182 and CVE-2025-66478.

The module includes:

  • Dual CVE detection logic
  • Safe payload execution
  • Detailed documentation and usage examples

Looking forward to your review. Thank you!

@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Dec 8, 2025

This is a duplicate of #20747. Since that one has a check method, and I'm pretty sure it can run against multiple hosts, I'm not sure we need a dedicated scanner module.

@0xv1n
Copy link

0xv1n commented Dec 8, 2025

Pedantic nit, but I don't know how appropriate it is to include an author name as part of a payload.

@jheysel-r7
Copy link
Contributor

jheysel-r7 commented Dec 8, 2025

Hey @inwpu. Thank you so much for the contribution, we really appreciate it. The other PR we received #20747 enables exploitation of these CVEs as well as detection, and for that reason we're going to close this PR. Sorry about that, hope you understand ❤️

@jheysel-r7 jheysel-r7 closed this Dec 8, 2025
@inwpu inwpu deleted the add-rsc-cve-2025-dual branch December 10, 2025 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@inwpu @smcintyre-r7 @0xv1n @jheysel-r7 @snnuyyds