RSC Infra Scanner

rsc_infra_scan.py is a fast, asynchronous Python tool that fingerprints domains for likely Next.js App Router / React Server Components (RSC) infrastructure.

It does not exploit any vulnerabilities.
It only performs passive HTTP/HTML/header fingerprinting to help you identify targets that might be in the affected technology family (e.g. for RSC‑related CVEs).

Target Vulnerabilities

This scanner is designed to help identify infrastructure that MAY be vulnerable to:

• CVE-2025-55182 — Critical Remote Code Execution (RCE) vulnerability in React Server Components due to unsafe deserialization. This vulnerability allows pre-authentication remote code execution.
• CVE-2025-66478 — Initially assigned to Next.js but marked as a duplicate of CVE-2025-55182.

Affected Versions

• React: 19.0.0, 19.1.0, 19.1.1, 19.2.0
• Next.js: 15.x and 16.x using the App Router

Important: This tool only identifies infrastructure that appears to use Next.js App Router / RSC technology. It does not verify if a specific CVE is exploitable or if the target is running a vulnerable version. Always verify vulnerability status through proper security testing and vendor advisories.

---

Features

• Scans a list of domains concurrently using aiohttp.
• Detects heuristics for:
  • window.__next_f (Next.js App Router / RSC runtime)
  • react-server-dom-webpack
  • id="__next" container
  • x-nextjs-* response headers
  • Content-Type: text/x-component
• Assigns a 0–100 score per domain.
• Prints a CSV‑like summary with:
  • A green [+] mark for “likely RSC / Next.js infra” (score ≥ 50).
  • A red [-] mark for “unlikely / not detected” or errors.
• Uses HTTPS by default, with HTTP fallback if there is an SSL issue.

This tool is intended for research and defensive security testing. Do not use it on systems you are not authorized to test.

---

Installation

1. Clone or download this repository.

2. Install Python dependencies:

   pip install aiohttp

3. Ensure you have Python 3.8+.

---

Configuration

Create a List.txt file in the same directory as rsc_infra_scan.py.

• One domain or URL per line.
• # at the beginning of a line is treated as a comment.
• You can mix bare domains and full URLs.

Example List.txt:

# Example targets
example.com
https://subdomain.example.org
nextjs-demo.vercel.app

---

Usage

Run the scanner from the directory containing rsc_infra_scan.py and List.txt:

python rsc_infra_scan.py

The script will:

• Read List.txt.
• De-duplicate domains.
• Probe each target concurrently.
• Print a CSV‑like table to stdout.

---

Output Format

Header:

domain,status,is_rsc_like,score,signals_or_error

Example rows:

example.com,[+],yes,75,HTML:(window|self)\.__next_f\s*=; HDR:x-nextjs-cache=HIT
legacy-site.org,[-],no,0,
bad-ssl.test,[-],ERROR,0,SSL: CERTIFICATE_VERIFY_FAILED

Where:

• status:
  • [+] (green in a terminal that supports ANSI) → likely using Next.js App Router / RSC‑style infra.
  • [-] (red) → no strong signals or an error.
• is_rsc_like:
  • yes when score >= 50.
  • no otherwise.
• score:
  • 0–100 heuristic score, based on HTML patterns and headers.
• signals_or_error:
  • Semi‑colon separated list of matched signals (e.g. HTML:..., HDR:...) or an error message.

---

How Detection Works (High Level)

The scanner sends a single GET request per target (with HTTP fallback if HTTPS fails) and inspects:

1. HTML body

   • window.__next_f → strong Next.js App Router / RSC indicator.
   • react-server-dom-webpack → RSC library reference.
   • id="__next" → generic Next.js root container.

2. Response headers

   • x-nextjs-cache
   • x-nextjs-matched-path
   • x-nextjs-page
   • x-nextjs-router-state-tree
   • Content-Type: text/x-component

Each signal contributes to the overall score. A score ≥ 50 means the domain is "RSC‑infra‑like".

Note: This is not a vulnerability scanner. It cannot tell you if a specific CVE (such as CVE-2025-55182 or CVE-2025-66478) is exploitable, only whether the stack looks like Next.js/RSC infrastructure that might be affected. Always verify actual vulnerability status through proper security testing and consult official vendor advisories.

---

Legal & Ethical Use

• Only scan systems that you:
  • Own yourself, or
  • Have explicit written permission to test.
• Do not treat heuristic detection as proof of vulnerability; always follow coordinated disclosure and patch guidance from vendors.

---

References

For more information about the vulnerabilities this tool helps identify:

• CVE-2025-55182: NIST NVD
• CVE-2025-66478: NIST NVD (marked as duplicate of CVE-2025-55182)
• React Security Advisory: Check the official React repository for security advisories
• Next.js Security Advisory: Check the official Next.js repository and Vercel Community for updates

---

Disclaimer

This project is provided for educational and research purposes only.

The author(s) are not responsible for any misuse or damage caused by this software.
You are solely responsible for complying with all applicable laws and regulations when using this tool.