npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

react2shell-guard

v1.1.1

Published

Security scanner for CVE-2025-55182 - Critical React Server Components RCE vulnerability. Scan lockfiles, SBOMs, Docker images, and live URLs.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gensecaidevgensecaidev

Keywords

securityvulnerabilityscannerreactnextjsrscreact-server-componentscve-2025-55182cvercemcpsbomcyclonedxsarifdockercontainervercelgithub-actionspre-commitsecurity-scannerdevsecops

Readme

react2shell-guard

Security scanner for CVE-2025-55182 - a critical (CVSS 10.0) unauthenticated Remote Code Execution vulnerability in React Server Components.

⚠️ DISCLAIMER

This is a security scanner, NOT an exploit tool. It is designed to help developers and security teams identify vulnerable dependencies in their projects.

This is a community-driven open source project provided "AS IS" without warranty of any kind, express or implied. The authors and contributors are not responsible for any damages or security incidents arising from the use of this tool.

Use at your own risk and responsibility. Always verify findings manually and follow your organization's security policies. If you discover any issues, bugs, or have suggestions, please contribute back to help improve the project for everyone.

🤝 CONTRIBUTORS WANTED

This project is actively looking for testers and contributors! Whether you want to report bugs, suggest features, improve documentation, or submit code - all contributions are welcome. Check out our Contributing Guide to get started.

Acknowledgments

This project exists to help the community respond to CVE-2025-55182. We acknowledge and thank:

  • Lachlan Davidson (react2shell.com) - For discovering and responsibly disclosing the React Server Components vulnerability (CVE-2025-55182) on November 29th, 2025. The security community owes him gratitude for his diligence in identifying this critical flaw and working with the React and Next.js teams to ensure patches were available. His efforts have helped protect countless applications and users worldwide. See his original PoC for technical details.

Quick Start

1. Instant Scan (No Installation)

The fastest way to check if your project is vulnerable:

npx react2shell-guard .

That's it! This will scan your current directory and show results immediately.

2. Scan a Specific Project

npx react2shell-guard /path/to/your/project

3. Auto-Fix Vulnerabilities

Found vulnerabilities? Fix them automatically:

# Preview what will be changed
npx react2shell-guard fix --dry-run

# Apply fixes
npx react2shell-guard fix

# Apply fixes and reinstall dependencies
npx react2shell-guard fix --install

4. Scan Live URLs

Check if a deployed application is vulnerable:

npx react2shell-guard scan-url https://your-app.com

5. Verify Patch Was Applied

Confirm your deployed fix is working:

npx react2shell-guard verify-patch https://your-app.com

6. Scan Container Images

Check if your Docker images contain vulnerable packages:

npx react2shell-guard scan-image myapp:latest

7. Create Fix PR (GitHub)

Automatically create a GitHub PR to fix vulnerabilities:

npx react2shell-guard create-pr --dry-run  # Preview
npx react2shell-guard create-pr            # Create PR

What is CVE-2025-55182?

On November 29th, 2025, security researcher Lachlan Davidson discovered and responsibly disclosed a critical vulnerability in React Server Components. The flaw exists in how React decodes payloads sent to React Server Function endpoints, allowing unauthenticated attackers to achieve remote code execution on affected servers without any user interaction.

CVE-2025-55182 is rated CVSS 10.0 (Critical) and affects React Server Components (RSC) and frameworks using the RSC "Flight" protocol.

Affected Packages:

  • react-server-dom-webpack 19.0.0, 19.1.0-19.1.1, 19.2.0
  • react-server-dom-parcel (same versions)
  • react-server-dom-turbopack (same versions)
  • next 15.0.0-15.0.4, 15.1.0-15.1.8, 15.2.0-15.2.5, 15.3.0-15.3.5, 15.4.0-15.4.7, 15.5.0-15.5.6, 16.0.0-16.0.6

More Information:

Installation (Optional)

For frequent use, install globally:

npm install -g react2shell-guard

Then use without npx:

react2shell-guard .

Usage Guide

Basic Scanning

# Scan current directory
react2shell-guard .

# Scan specific directory
react2shell-guard /path/to/project

# Scan and ignore certain paths
react2shell-guard . --ignore-path "examples/**" "test/**"

Output Formats

# Human-readable text (default)
react2shell-guard .

# JSON output (for scripting)
react2shell-guard . --json

# SARIF output (for GitHub Security tab)
react2shell-guard . --sarif

# HTML report (standalone, shareable)
react2shell-guard . --html report.html

CLI Options

| Option | Description | |--------|-------------| | --json | Output results as JSON | | --sarif | Output results as SARIF 2.1.0 | | --html <file> | Generate standalone HTML report | | --no-exit-on-vuln | Don't exit with code 1 when vulnerabilities found | | --ignore-path <patterns> | Paths to ignore (e.g., examples/**) | | --debug | Enable debug output |

Exit Codes

| Code | Meaning | |------|---------| | 0 | No vulnerabilities found | | 1 | Vulnerabilities detected | | 2+ | Fatal error |

Live URL Scanning

Scan live endpoints to detect if they are vulnerable:

# Scan a single URL
react2shell-guard scan-url https://example.com

# Batch scan from a file (one URL per line)
react2shell-guard scan-url urls.txt --list

# With options
react2shell-guard scan-url https://example.com --timeout 5000 --json

How Live URL Scanning Works

The scanner uses passive fingerprinting to detect vulnerable React Server Components endpoints without exploiting the vulnerability:

  1. Probe Request: Sends a crafted POST request simulating an RSC Server Action call with a minimal payload:

    • Uses multipart/form-data content type with RSC-like data structure
    • Includes Next-Action header to trigger Server Action processing

  2. Response Analysis: Analyzes the HTTP response for vulnerability signatures:

    • Checks for HTTP 500 status code (error response)
    • Matches response body against RSC Flight protocol error patterns:
      • ^[0-9]+:E{ - RSC Flight protocol error format
      • "digest":"...RSC - RSC digest in error responses
      • ReactServerComponentsError - React error class names
      • text/x-component.*error - Component error content type

  3. Non-Destructive: This is purely a detection mechanism - it does not execute any malicious payload or exploit the vulnerability. The probe uses benign data that triggers error responses on vulnerable servers but causes no harm.

Note: A positive detection means the server is running a vulnerable version and returned an RSC-specific error signature. It does NOT mean the server was exploited.

URL Scanner Options

| Option | Description | |--------|-------------| | --list | Treat target as a file containing URLs | | --threads <n> | Number of concurrent threads (default: 10) | | --timeout <ms> | Request timeout in milliseconds (default: 10000) | | --json | Output results as JSON | | --skip-ssl-verify | Skip SSL certificate verification | | --verbose | Show all results including non-vulnerable hosts |

Patch Verification

Verify if a target has been patched against the vulnerability:

# Verify patch status (runs multiple scans for accuracy)
react2shell-guard verify-patch https://example.com

# With JSON output
react2shell-guard verify-patch https://example.com --json

How Patch Verification Works

Patch verification performs multiple consecutive scans (default: 3) with brief delays between them to ensure accurate detection:

  1. Multiple Probes: Runs the same passive fingerprinting check 3 times with 500ms delays
  2. Confidence Scoring:
    • High confidence: 2+ successful scans with consistent results
    • Medium confidence: 1 successful scan with conclusive result
    • Low confidence: All scans failed or inconclusive results
  3. Result Classification:
    • PATCHED: No vulnerability signatures detected across all successful scans
    • VULNERABLE: Vulnerability signature detected in one or more scans
    • Inconclusive: Mixed results or all scans failed

This multi-scan approach reduces false positives from transient network issues and provides higher confidence in the patch status.

Verification Options

| Option | Description | |--------|-------------| | --timeout <ms> | Request timeout in milliseconds (default: 10000) | | --json | Output results as JSON | | --skip-ssl-verify | Skip SSL certificate verification |

Container Image Scanning

Scan Docker/OCI container images for vulnerable packages:

# Scan a local or remote image
react2shell-guard scan-image myapp:latest

# Scan from a registry
react2shell-guard scan-image registry.example.com/myapp:v1.0

# Skip pulling (use local image only)
react2shell-guard scan-image myapp:latest --skip-pull

# With JSON output
react2shell-guard scan-image myapp:latest --json

# With SARIF output
react2shell-guard scan-image myapp:latest --sarif

Container Scanner Options

| Option | Description | |--------|-------------| | --timeout <ms> | Operation timeout in milliseconds (default: 120000) | | --skip-pull | Skip pulling image from registry (use local only) | | --json | Output results as JSON | | --sarif | Output results as SARIF 2.1.0 | | --no-exit-on-vuln | Don't exit with code 1 when vulnerabilities found | | --debug | Enable debug output |

Requirements:

  • Docker must be installed and running
  • Sufficient disk space for image extraction

Vercel Deployment Integration

Block vulnerable deployments before they reach production:

# Run as part of your build command
react2shell-guard vercel-check

# In package.json
{
  "scripts": {
    "vercel-build": "react2shell-guard vercel-check && next build"
  }
}

# Or in vercel.json
{
  "buildCommand": "npx react2shell-guard vercel-check && npm run build"
}

Vercel Check Options

| Option | Description | |--------|-------------| | --no-fail | Warn but do not fail the build on vulnerabilities | | --ignore-path <patterns> | Paths to ignore (glob patterns) | | --debug | Enable debug output |

GitHub PR Automation

Automatically create a pull request to fix vulnerabilities:

# Preview what will be done
react2shell-guard create-pr --dry-run

# Create branch and PR
react2shell-guard create-pr

# Create branch but don't push/create PR
react2shell-guard create-pr --no-push

# Custom branch name
react2shell-guard create-pr --branch fix/security-update

Create PR Options

| Option | Description | |--------|-------------| | --branch <name> | Branch name for the fix (default: fix/cve-2025-55182) | | --dry-run | Show what would be done without making changes | | --no-push | Create branch and commits but do not push or create PR |

Requirements:

  • GitHub CLI (gh) must be installed and authenticated
  • Must be in a git repository with a remote

Example Output

react2shell-guard - CVE-2025-55182 Scanner
──────────────────────────────────────────────────

Scanned 1 project(s)

✗ my-app [VULNERABLE]
  Path: /path/to/my-app
  Framework: nextjs v15.2.1
  App Router: Yes (RSC enabled)

  Vulnerabilities found:
    - react-server-dom-webpack @ 19.1.0
      Upgrade to: 19.1.2
      Advisory: https://react.dev/blog/2025/12/03/...
    - next @ 15.2.1
      Upgrade to: 15.2.6
      Advisory: https://react.dev/blog/2025/12/03/...

──────────────────────────────────────────────────
VULNERABLE - Action required!
Upgrade affected packages to patched versions immediately.

GitHub Actions Integration

Note: We actively release new versions with improved detection patterns and fixes. Use @v1 for stable releases or @latest for the newest version.

GitHub Marketplace Action

The easiest way to integrate is using our official GitHub Action:

name: Security Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Scan for CVE-2025-55182
        uses: gensecaihq/react2shell-scanner@v1
        with:
          path: '.'
          fail-on-vuln: true

Full-Featured Setup (SARIF + PR Comments)

name: Security Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write    # For SARIF upload
      pull-requests: write      # For PR comments

    steps:
      - uses: actions/checkout@v4

      - name: Scan for CVE-2025-55182
        uses: gensecaihq/react2shell-scanner@v1
        with:
          path: '.'
          format: sarif
          fail-on-vuln: true
          upload-sarif: true        # Upload to GitHub Security tab
          add-pr-comment: true      # Comment on PRs with results
          ignore-paths: 'examples/**,test/fixtures/**'

Action Inputs

| Input | Description | Default | |-------|-------------|---------| | path | Path to scan | . | | scan-type | Type of scan: repo, sbom, container | repo | | format | Output format: text, json, sarif | text | | fail-on-vuln | Fail if vulnerabilities found | true | | upload-sarif | Upload SARIF to GitHub Security | false | | add-pr-comment | Add PR comment with results | false | | ignore-paths | Comma-separated paths to ignore | '' | | sbom-file | SBOM file path (when scan-type is sbom) | '' | | container-image | Docker image (when scan-type is container) | '' |

Action Outputs

| Output | Description | |--------|-------------| | vulnerable | Whether vulnerabilities were found (true/false) | | findings-count | Number of vulnerable packages | | scan-result | Full scan result (JSON format) | | sarif-file | Path to SARIF output file |

Scan Container Images

- name: Scan Docker image
  uses: gensecaihq/react2shell-scanner@v1
  with:
    scan-type: container
    container-image: myapp:latest

Scan SBOM Files

- name: Scan SBOM
  uses: gensecaihq/react2shell-scanner@v1
  with:
    scan-type: sbom
    sbom-file: sbom.json

Manual CLI Usage

If you prefer to use the CLI directly:

- name: Setup Node.js
  uses: actions/setup-node@v4
  with:
    node-version: '20'

- name: Scan for vulnerabilities
  run: npx react2shell-guard@latest .

Supported Package Managers

react2shell-guard automatically detects and parses lockfiles from:

  • npm - package-lock.json (v2 and v3 formats)
  • pnpm - pnpm-lock.yaml
  • yarn - yarn.lock (Classic and Berry formats)

Features

  • Fast scanning - Analyzes lockfiles directly, no need to install dependencies
  • Monorepo support - Automatically discovers and scans all projects
  • Framework detection - Identifies Next.js and App Router usage
  • Multiple output formats - Text, JSON, SARIF, and HTML reports
  • CI/CD ready - Exit codes and GitHub Actions integration
  • Zero network calls - Works completely offline
  • Auto-fix - Automatically update vulnerable dependencies
  • Pre-commit hooks - Block commits with vulnerable dependencies
  • SBOM scanning - Scan CycloneDX SBOM files
  • MCP integration - AI assistant support via Model Context Protocol
  • Runtime protection - Express.js/Next.js middleware for defense-in-depth
  • Live URL scanning - Scan deployed applications for vulnerabilities
  • Container scanning - Scan Docker/OCI images for vulnerable packages
  • Vercel integration - Block vulnerable deployments before production
  • GitHub PR automation - Auto-create fix PRs with one command

Auto-Fix Vulnerabilities

Automatically update your package.json to use patched versions:

# Preview changes (dry run)
react2shell-guard fix --dry-run

# Apply fixes
react2shell-guard fix

# Apply fixes and run npm/pnpm/yarn install
react2shell-guard fix --install

Pre-Commit Hooks

Install git hooks to prevent committing vulnerable dependencies:

# Auto-detect hook framework and install
react2shell-guard init-hooks

# Preview what would be installed
react2shell-guard init-hooks --dry-run

# Force specific hook type
react2shell-guard init-hooks --hook-type husky
react2shell-guard init-hooks --hook-type lefthook
react2shell-guard init-hooks --hook-type standalone

Supported hook frameworks:

  • Husky - Appends to .husky/pre-commit
  • Lefthook - Creates/updates lefthook.yml
  • Standalone - Creates .git/hooks/pre-commit

The hook will block commits when package.json contains vulnerable dependencies and suggest running react2shell-guard fix to remediate.

SBOM Scanning

Scan CycloneDX SBOM files for vulnerabilities:

# Scan a CycloneDX SBOM
react2shell-guard scan-sbom bom.json

# With JSON output
react2shell-guard scan-sbom bom.json --json

# With SARIF output
react2shell-guard scan-sbom bom.json --sarif

MCP Server (AI Assistant Integration)

Start the Model Context Protocol server for AI assistant integration:

react2shell-guard mcp-server

Available MCP tools:

  • scan_repo - Scan a repository for vulnerabilities
  • scan_sbom - Scan a CycloneDX SBOM file

Configure with MCP-compatible clients (example configuration):

{
  "mcpServers": {
    "react2shell-guard": {
      "command": "npx",
      "args": ["react2shell-guard", "mcp-server"]
    }
  }
}

Runtime Protection Middleware

Defense-in-depth middleware that detects and blocks CVE-2025-55182 exploit attempts at runtime.

Express.js

import express from 'express';
import { createExpressMiddleware } from 'react2shell-guard/middleware';

const app = express();

// Add raw body parser for RSC payloads
app.use(express.raw({ type: 'text/x-component' }));
app.use(express.json());

// Add protection middleware
app.use(createExpressMiddleware({
  action: 'block',  // 'block' | 'log' | 'alert'
  onAlert: (result, req) => {
    // Send to your alerting system (Slack, PagerDuty, etc.)
    console.error('CVE-2025-55182 exploit attempt:', result);
  },
  skipPaths: ['/health', '/metrics'],
}));

Next.js

// middleware.ts
import { withReact2ShellGuard } from 'react2shell-guard/middleware';

export const middleware = withReact2ShellGuard({
  action: 'block',
  rscEndpointsOnly: true,  // Only check RSC endpoints (recommended)
});

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
};

Detected patterns:

  • Serialized function injection
  • Prototype pollution attempts
  • Malformed module references
  • Server action tampering
  • Encoded malicious payloads
  • RSC streaming format abuse

API Usage

import { scan } from 'react2shell-guard';

const result = scan({
  path: '/path/to/project',
  ignorePaths: ['examples/**'],
  debug: false,
});

console.log(result.vulnerable); // boolean
console.log(result.projects);   // ProjectResult[]

JSON Output Schema

{
  "cve": "CVE-2025-55182",
  "vulnerable": true,
  "scanTime": "2025-12-04T10:30:00Z",
  "projects": [
    {
      "name": "my-app",
      "path": "/path/to/my-app",
      "framework": {
        "type": "nextjs",
        "version": "15.2.1",
        "appRouterDetected": true
      },
      "findings": [
        {
          "package": "react-server-dom-webpack",
          "currentVersion": "19.1.0",
          "fixedVersion": "19.1.2",
          "severity": "critical",
          "advisoryUrl": "https://..."
        }
      ],
      "vulnerable": true
    }
  ],
  "errors": []
}

Remediation

Automatic fix (recommended):

react2shell-guard fix --install

Manual upgrade - React packages:

npm install [email protected]  # or 19.0.1, 19.2.1

Manual upgrade - Next.js:

npm install [email protected]  # or other patched version for your release line

Fixed Next.js versions by release line:

  • 15.0.x → 15.0.5
  • 15.1.x → 15.1.9
  • 15.2.x → 15.2.6
  • 15.3.x → 15.3.6
  • 15.4.x → 15.4.8
  • 15.5.x → 15.5.7
  • 16.0.x → 16.0.7

Development

# Install dependencies
npm install

# Build
npm run build

# Run tests
npm test

# Run in development mode
npm run dev

License

MIT