A high-fidelity Burp Suite extension to detect the Next.js / React Server Components (RSC) Remote Code Execution vulnerability (CVE-2025-55182 & CVE-2025-66478).
This extension implements the detection logic discovered by the Searchlight Cyber Security Research Team. It sends a specific malformed multipart request to trigger a property access crash on an undefined object within the RSC stream.
-
CVE IDs: CVE-2025-55182, CVE-2025-66478
-
Severity: High / Critical
-
Affected Software: Next.js (Default App Router configurations)
-
Root Cause: Improper handling of colon-delimited property access in
react-server-dom-parcel,react-server-dom-turbopack, andreact-server-dom-webpackleads to a server crash (and potential RCE) when processing malicious multipart streams.
-
High Fidelity: Checks for the specific RSC error signature (
E{"digest") combined with a 500 status code to eliminate false positives. -
Active Scanning: Integrates directly into Burp's Active Scanner.
-
Manual Scanning: Right-click any request to explicitly scan for this vulnerability.
-
Rich Reporting: Detailed issue dashboard entries with HTML formatting, references, and remediation steps.
-
Safe Payload: Uses a detection-only payload that triggers a crash/error without executing harmful code.
-
Download the latest JAR file from the Releases page (or build it yourself).
-
Open Burp Suite.
-
Navigate to Extensions > Installed.
-
Click Add.
-
Select Extension type: Java.
-
Select the
NextJsRceScanner-1.0-SNAPSHOT.jarfile.
-
Navigate to a target Next.js application in Burp Suite.
-
Right-click on any request (e.g.,
GET /) in the Proxy History or Repeater. -
Select Extensions > Next.js RSC RCE Scanner > Scan.
-
Check the Dashboard or Target tab for issues.
-
If vulnerable, a High Severity issue labeled "Next.js RSC Remote Code Execution (CVE-2025-55182)" will appear.
To build this project, you need Java JDK 21+.
-
Clone the repository:
git clone https://github.com/tobiasGuta/Next.js-RSC-RCE-Scanner-Burp-Suite-Extension.git cd Next.js-RSC-RCE-Scanner-Burp-Suite-Extension -
Build with Gradle:
# Linux/Mac ./gradlew clean build # Windows gradlew.bat clean build -
Locate the JAR: The compiled extension will be located in:
build/libs/NextJsRceScanner-1.0-SNAPSHOT.jar
Screen.Recording.2025-12-04.144913.mp4
This tool is for educational purposes and authorized security testing only. Do not use this tool on systems you do not have explicit permission to test. The authors are not responsible for any misuse or damage caused by this tool.
