Last week, we have reported that Unauthenticated RCE Found in React Server Components and Next.js (CVE-2025-55182 / CVE-2025-66478).
A set of critical vulnerabilities that carry the potential for unauthenticated Remote Code Execution (RCE). Due to its severity (CVSS 10.0), security teams must prioritize validating their exposure.
Fortunately, security professionals can quickly and reliably detect React2Shell in Next.js applications using the industry-standard penetration testing tool, Burp Suite.
Following are outlines the critical information about the vulnerability and the essential steps for immediate detection using Burp Suite Professional and Burp Suite DAST.
What is the React2Shell Vulnerability? (The Core Issue)
The React2Shell vulnerabilities (tracked as CVE-2025-55182 and CVE-2025-66478) are a pair of critical flaws allowing an attacker to achieve unauthenticated Remote Code Execution (RCE) with a maximum CVSS score of 10.0.
Key Impacts:
- RCE Risk: A successful exploit allows attackers to execute arbitrary code on the affected server.
- Widespread Impact: It primarily affects applications built with React and Next.js that utilize React Server Components. Since these frameworks underpin a huge number of modern web applications, the exposure is massive.
- High Priority Incident: The vulnerability is expected to follow a similar, rapid weaponization trajectory to the infamous Log4j flaw, making immediate action mandatory for all security teams.
- Silent Vulnerability: Crucially, an application may be vulnerable even if it does not explicitly call server actions, as long as it supports React server components.
Key Points for React2Shell Detection with Burp Suite
Burp Suite offers two primary methods for detecting React2Shell, catering to both hands-on penetration testing and large-scale, automated enterprise scanning.
| Tool | Purpose | Detection Method |
| Burp Suite Professional | Manual investigation, validation, and targeted testing. | ActiveScan++ or Custom Bambda Scan Check. |
| Burp Suite DAST | Continuous, automated coverage across multiple applications at scale. | ActiveScan++ Integration. |
1. Automated Detection: Use ActiveScan++ (v2.0.8)
The recommended and simplest method is leveraging the updated ActiveScan++ extension, which includes a dedicated, automated check for React2Shell.
How to Detect React2Shell Vulnerability?
- Integrated Coverage: Once installed and active, this extension adds React2Shell coverage directly into your existing manual or automated Burp workflow.
- Automatic Scanning: The dedicated check runs automatically as part of your active scanning process, providing instant visibility and triage for suspected Next.js targets (which utilize React server components).
- Compatibility: This method is available in both Burp Suite Professional and Burp Suite DAST starting with version v2.0.8 of the extension.
ActiveScan++ extends active and passive scanning capabilities. Designed to add minimal network overhead, it identifies application behavior that may be of interest to advanced testers.
Features
- Detects potential host header attacks, including password reset poisoning, cache poisoning, and DNS rebinding
- Identifies Edge Side Includes and XML input handling vulnerabilities
- Discovers suspicious input transformations such as expression evaluation (7*7 → ’49’) and character escaping (\x41\x41 → ‘AA’)
- Detects blind code injection via expression language, Ruby’s
open(), and Perl’sopen() - Checks for specific CVEs including Shellshock (CVE-2014-6271, CVE-2014-6278), Struts vulnerabilities (CVE-2017-5638, CVE-2018-11776), Solr injection (CVE-2017-12629), Log4Shell (CVE-2021-44228), Rails file disclosure (CVE-2019-5418), and React2Shell (CVE-2025-55182, CVE-2025-66478)
- Identifies unicode processing issues that may bypass character blocklists
- Triggers passive scanner checks during active scanning to discover issues that only appear during fuzzing
- Provides insertion points for HTTP basic authentication testing
Usage
- Run a standard active scan on your target
- The extension automatically performs all configured checks during the scan
- Review discovered issues in the scan results
2. Targeted Detection: Custom Scan Check (Bambda)
For security professionals who require focused, on-demand testing against specific components or endpoints, a community-created Bambda script can be imported and utilized in Burp Suite Professional.
When to Use It:
Validation: Quickly validating a suspected vulnerable application.
Reproduction: Probing specific components to reproduce reported behavior or conduct deeper manual investigation.
Steps in Burp Suite Professional:
- Download the community-created React2Shell Bambda script.
- In Burp Suite Professional, navigate to Extensions > Bambda library.
- Click Import and load the downloaded .bambda file.
- Run the custom scan check against your target endpoint.
Scaling Detection Across the Enterprise (Burp Suite DAST)
If your organization manages a large estate of Next.js applications, Burp Suite DAST (Dynamic Application Security Testing) is the most efficient solution for continuous monitoring.
By integrating the updated ActiveScan++ (v2.0.8) into Burp Suite DAST, security teams can achieve:
- Continuous Coverage: Run automated scans on a schedule or integrate them directly into CI/CD pipelines.
- Scale: Validate React2Shell exposure across numerous applications simultaneously.
- Centralized Results: Deliver results centrally to your AppSec team for streamlined prioritization and remediation.
Call to Action and Related Guidance
Given the CVSS 10.0 severity, React2Shell should be treated as a high-priority incident requiring immediate attention.
Update Immediately: Ensure you install or update to ActiveScan++ v2.0.8 in whichever Burp Suite product you use.
Prioritize Next.js: Current automated detection logic primarily focuses on Next.js applications using React Server Components.
Manual Testing: For applications built on other React frameworks, manual investigation and bespoke testing may still be necessary until broader detection techniques are released.
