A professional, hybrid security scanner designed to bridge static analysis and dynamic exploitation capabilities for CVE-2025-55182. This tool serves both developers (shift-left security) and security professionals (production testing).
- Static Analysis: Scans
package.jsonand source code for vulnerable Next.js/Waku versions and dangerous RSC patterns. - Dynamic Validation: Safely tests live endpoints for RSC vulnerability exposure without executing harmful payloads.
- Hybrid Mode: Combines both static and dynamic checks for comprehensive risk assessment.
- Reporting: Outputs detailed findings in JSON format and provides color-coded CLI feedback.
- CI/CD Ready: Supports non-interactive modes and exit codes for pipeline integration.
-
Prerequisites: Python 3.8+
-
Install Dependencies:
pip install -r requirements.txt
Static Analysis (Codebase) Scan a local project directory for vulnerable dependencies and code patterns.
python cve_2025_55182_scan.py --static /path/to/projectDynamic Analysis (Live Site) Safely test a running application URL.
python cve_2025_55182_scan.py --dynamic http://localhost:3000Hybrid Scan Combine static and dynamic results for a full report.
python cve_2025_55182_scan.py --hybrid /path/to/project --url http://localhost:3000CI/CD Pipeline Mode Run in non-interactive mode and fail the build if Critical or High issues are found.
python cve_2025_55182_scan.py --ci --fail-on high --static .- Static Module: Checks
dependenciesinpackage.jsonfor vulnerable Next.js (< 14.1.1) and Waku versions. Scans.js/.tsfiles for "use server", dynamic imports, and Flight protocol markers. - Dynamic Module: Sends non-destructive Flight protocol payloads to detect if the target parses RSC headers (
Next-Action,Next-Router-State-Tree). - Reporting: Generates
report.jsonwith a summary of findings and specific details for remediation.
This tool is for educational and authorized security testing purposes only. Ensure you have permission before scanning any target.