A new security assessment tool has been released to help researchers and administrators identify React Server Components (RSC) endpoints potentially exposed to CVE-2025-55182.
Developed as a lightweight by Pentester with the alias Fatguru, a non-intrusive Python script, the scanner offers a method for “Surface Detection” that avoids the pitfalls of aggressive proof-of-concept (PoC) exploits, which frequently fail in production environments due to code minification and tree-shaking.
CVE-2025-55182 is a critical vulnerability in the Next.js framework, specifically affecting how Server Actions handle serialized data. While the vulnerability can lead to Remote Code Execution (RCE), verifying its presence has proven difficult for security teams.
Many existing PoCs attempt to inject rigid payloads, such as vm#runInThisContext, or rely on default module IDs like {“id”:”vm”}.
In development environments, these payloads often trigger successfully. However, in production builds using Webpack or Turbopack, module IDs are typically minified into integers (e.g., 742) or short strings.
Consequently, standard RCE attempts fail against vulnerable servers because the exploit payload references module names that no longer exist in the compiled code, leading to a dangerous false sense of security.
The newly released scanner addresses this detection gap by validating the attack surface rather than attempting to fire a specific exploit gadget.
Instead of sending a malicious payload, the tool checks if the target server exposes the RSC protocol indicated by the Content-Type: text/x-component header and accepts specific Next.js action headers. If the server attempts to process these RSC payloads, the tool flags the endpoint as exposed.
This approach confirms that the vulnerability pathway is open without needing to guess the correct minified module ID or disrupt the server operations.
For security professionals, a positive result from this scanner indicates that the endpoint is reachable and processing potentially dangerous input.
The tool’s documentation notes that if the scanner flags a target, further manual validation is required to prove RCE. This would involve enumerating or fuzzing the Webpack Module ID (often integers between 1 and 5000 in production) or analyzing client-side assets like webpack-runtime.js to map valid IDs to potential gadgets.
The tool is designed for ease of use and integration into existing workflows. It supports single-target scanning via command line arguments as well as bulk scanning through list input, outputting results to a CSV file for reporting. Prerequisites for running the tool are minimal, requiring only Python 3 and standard library dependencies.
This release provides a crucial capability for organizations running Next.js applications, allowing them to audit their exposure to CVE-2025-55182 effectively before attackers can reverse-engineer production builds to craft working exploits.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
