Next.js RSC RCE Scanner Burp Suite Extension

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/tobiasGuta/Next.js-RSC-RCE-Scanner-Burp-Suite-Extension
• Blog Title: Next.js RSC RCE Scanner Burp Suite Extension
• Suggested Section: network-services-pentesting/pentesting-web/nextjs-or-react-rsc-rce-detection (new subsection under 80,443 - Pentesting Web Methodology for Next.js / React Server Components)

🎯 Content Summary

The repository provides a Burp Suite extension called Next.js RSC RCE Scanner, a high-fidelity active scanner for detecting Next.js / React Server Components (RSC) Remote Code Execution vulnerabilities CVE-2025-55182 and CVE-2025-66478 in default App Router configurations.

How the underlying vulnerability works
Next.js uses React Server Components (RSC), which are streamed over the network an...

🔧 Technical Details

RSC error-signature based detection for Next.js RCE (CVE-2025-55182 & CVE-2025-66478)
The core hacking trick is to detect RCE-prone React Server Components (RSC) bugs in Next.js by abusing the way RSC parsers (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack) handle colon-delimited property access inside streamed RSC data. An attacker (or scanner) sends a multipart HTTP request carrying an RSC stream crafted so that the parser performs a property lookup on an undefined object. This reliably causes an internal RSC parsing error, leading to a 500 HTTP response and an RSC error frame in the body beginning with E{"digest". By programmatically injecting this malformed RSC multipart payload into endpoints and then checking responses for the combined signature status == 500 and body containing E{"digest...

🤖 Agent Actions

Summary:

• Expanded src/network-services-pentesting/pentesting-web/nextjs.md with a dedicated subsection on high-fidelity detection of the Next.js/React Server Components colon-delimited crash that underpins CVE-2025-55182/66478. The new content explains the crafted multipart Flight payload, outlines the 500 + E{"digest" response signature, and details how the Burp-based Next.js RSC RCE Scanner automates both active and manual scans while remaining a “detection-only” payload.
• Added practical guidance on installing/building the scanner JAR, integrating it into Burp workflows, and cautions about authorized use.
• Updated the references list to include the scanner repository and the official Next.js security advisory supporting the new material.

Tests: Not run (not requested).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/tobiasGuta/Next.js-RSC-RCE-Scanner-Burp-Suite-Extension

Content Categories: Based on the analysis, this content was categorized under "network-services-pentesting/pentesting-web/nextjs-or-react-rsc-rce-detection (new subsection under 80,443 - Pentesting Web Methodology for Next.js / React Server Components)".

Repository Maintenance:

• MD Files Formatting: 915 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0