Magazine Template

How to detect React2Shell with Burp Suite

December 5, 2025 - Two new critical vulnerabilities, collectively known as React2Shell (CVE-2025-55182 and CVE-2025-66478), are rapidly gaining traction in the security community.

Default scans in both versions of Burp Suite can now detect React2Shell in Next.js-based applications out of the box, with the option to include these checks in custom scan configurations as well. No extensions, no custom scan checks, and no scripts required, simply update and scan.

• Burp Suite Professional – for manual investigation and validation

• Burp Suite DAST – for continuous, automated coverage across many apps

This update to scan checks helps organizations and practitioners to quickly investigate and triage suspected Next.js (React server components) targets.

Please note, that if you have custom scans already configured, you may need to check the settings and add React2Shell scanning to the configuration.

What is React2Shell?

Two new critical vulnerabilities, collectively known as React2Shell (CVE-2025-55182 and CVE-2025-66478), are rapidly gaining traction in the security community. With a CVSS score of 10.0 and unauthenticated remote code execution, many expect a trajectory similar to Log4j, including rapid weaponisation by ransomware groups.

React2Shell affects React and Next.js applications and potentially other frameworks that use React server components.

Because these frameworks underpin a huge number of production apps, a successful exploit can lead to major compromise. For most teams, this should be treated as a high-priority incident.

Early proof-of-concept checks have mostly focused on detecting the presence of React server components. That is not enough to determine exploitability, and not all public PoCs are reliable.

Important: Even if your application does not explicitly call server actions, it may still be vulnerable, as long as it supports React server components.

PortSwigger's Immediate Response to React2Shell

On December 5, 2025, PortSwigger’s team reacted quickly to the React2Shell vulnerability, releasing two quick updates to help organizations and practitioners to quickly investigate and triage suspected Next.js, (React server components) targets.

How to test for React2Shell in Burp Suite Professional

Manual testing, instant visibility

Burp Suite Professional lets you quickly investigate React2Shell behaviour and validate specific endpoints during hands-on testing. You have two main detection options:

1. ActiveScan++ (v2.0.8) – recommended

   Ensure you have the latest version of ActiveScan++, which includes a dedicated React2Shell check, giving you automated detection directly inside Burp Suite Professional. Once installed, it:

   • Adds React2Shell coverage into your existing manual workflow

   • Runs automatically as part of your active scanning

   • Is ideal for quick investigation and triage of suspected Next.js (React server components) targets

   Note: Current automated checks focus on Next.js applications. Other React frameworks may still require manual investigation and bespoke testing.

   
   

2. Custom scan check (Bambda) for targeted checks

   If you need more focused, on-demand testing, you can import the community-created React2Shell Bambda and run it against specific endpoints or applications.

   This is ideal for quickly validating a suspected vulnerable app or probing specific components to reproduce reported behaviour.

   How to import and run the custom scan check:

   • Download the Bambda

   • In Burp Suite Professional, go to Extensions > Bambda library.

   • Click Import. The Import scripts dialog opens.

   • Select .bambda files or a folder containing .bambda files.

   • Click Open.

How to scan for React2Shell in Burp Suite DAST

If you need to understand React2Shell exposure across many applications or environments, Burp Suite DAST gives you continuous, automated detection at scale.

ActiveScan++ (v2.0.8) in Burp Suite DAST

Burp Suite DAST supports the updated ActiveScan++ extension. Once installed, ActiveScan++ enables automated React2Shell coverage across your Next.js estate, with scans running on a schedule or through your CI/CD pipelines, and results delivered centrally to your AppSec team.

How to enable ActiveScan++ in Burp Suite DAST

• Download the ActiveScan++ BApp here: ActiveScan++ extension

• For a full breakdown of how to install BApps in Burp Suite DAST, go to the user guide.

Portswigger Burp DAST (Enterprise) and Burp Professional solutions are available in UK through Simple IT Distribution LTD, Portswigger Partner in the UK.

About Simple IT Distribution LTD

Simple IT Distribution LTD is backed by 10 years of experience in Value Added IT Distribution. What sets us apart from the crowd is our customer-centric approach, the quality services (consulting, implementation, training, support), and the people behind them, which are experienced and certified proffessionals. We provide sales and technical advice and deliver the solutions that best meed our customers' diverse technology needs. Our partners are hand-picked from the top vendors, and we back up their solutions with certified professionals, to give you nothing but the best.

For more information, please visit www.simpleit-distribution.co.uk .