Burp Suite’s Scanning Arsenal Powered With Detection for Critical React2Shell Vulnerabilities

PortSwigger has enhanced Burp Suite’s scanning arsenal with the latest update to its ActiveScan++ extension, introducing detection for the critical React2Shell vulnerabilities (CVE-2025-55182 and CVE-2025-66478).

This server-side request forgery (SSRF) flaw in React applications allows attackers to execute arbitrary shell commands, potentially leading to full remote code execution (RCE) on affected servers.

Security researchers and penetration testers can now identify these zero-day risks during routine scans, strengthening defenses against a vulnerability chain that has already surfaced in production environments.

ActiveScan++ builds on Burp Suite’s active and passive scanning by adding low-overhead checks for advanced application behaviors. It detects subtle issues that evade standard scanners, such as host header manipulations, including password reset poisoning, cache poisoning, and DNS rebinding attacks.

A significant addition is the coverage for high-profile CVEs, now including React2Shell along with well-known vulnerabilities like Shellshock and Log4Shell. Testers now benefit from Unicode bypass detection, triggered passive scans during fuzzing, and HTTP basic authentication insertion points.

Integration is seamless: launch a standard Burp active scan, and ActiveScan++ runs all checks automatically. Results appear in the scan dashboard, categorized by severity. Caution is advised when performing host header tests on shared hosting, as they may redirect to unintended apps.

This update arrives amid rising SSRF exploits in React ecosystems, urging devs to patch via input sanitization and request whitelisting. Download ActiveScan++ from the BApp Store for immediate use.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.