Burp Suite Enhances Security Scanning with React2Shell Vulnerability Detection
PortSwigger has recently updated Burp Suite’s ActiveScan++ extension to include detection capabilities for the critical React2Shell vulnerabilities, identified as CVE-2025-55182 and CVE-2025-66478. These vulnerabilities involve server-side request forgery (SSRF) in React applications, potentially allowing attackers to execute arbitrary shell commands and achieve full remote code execution (RCE) on affected servers.
Understanding React2Shell Vulnerabilities
The React2Shell vulnerabilities exploit insecure deserialization within React’s Server Components Flight protocol. By sending specially crafted HTTP requests to server function endpoints, unauthenticated attackers can execute arbitrary code. This flaw affects React versions 19.0 through 19.2.0, as well as frameworks like Next.js (versions 15.x-16.x), React Router, Waku, and RedwoodSDK.
Active Exploitation and Industry Response
These vulnerabilities have been actively exploited in the wild. For instance, Amazon Web Services reported that China-linked threat groups, including Earth Lamia and Jackpot Panda, began exploiting CVE-2025-55182 within hours of its disclosure. The urgency of the situation prompted organizations like Cloudflare to deploy emergency patches, which, in one instance, led to a brief global network disruption.
Burp Suite’s Enhanced Detection Capabilities
In response to the growing threat, Burp Suite’s ActiveScan++ extension now includes checks for React2Shell vulnerabilities. This enhancement allows security professionals to identify these critical issues during routine scans, thereby strengthening defenses against potential exploits.
Key Features of ActiveScan++
ActiveScan++ extends Burp Suite’s scanning capabilities by adding low-overhead checks for advanced application behaviors. It detects subtle issues that standard scanners might miss, such as host header manipulations, including password reset poisoning, cache poisoning, and DNS rebinding attacks.
The extension also covers high-profile CVEs, including React2Shell, Shellshock, and Log4Shell. Additional features include Unicode bypass detection, triggered passive scans during fuzzing, and HTTP basic authentication insertion points.
Seamless Integration and Usage
Integrating ActiveScan++ is straightforward. Users can launch a standard Burp active scan, and ActiveScan++ will automatically run all checks. Results are displayed in the scan dashboard, categorized by severity. However, caution is advised when performing host header tests on shared hosting, as they may redirect to unintended applications.
Mitigation and Best Practices
To mitigate the risks associated with React2Shell vulnerabilities, developers are urged to implement input sanitization and request whitelisting. Additionally, updating to the latest versions of React and related frameworks is crucial. Security teams should also consider using tools like Burp Suite with ActiveScan++ to proactively identify and address potential vulnerabilities.
Conclusion
The inclusion of React2Shell vulnerability detection in Burp Suite’s ActiveScan++ extension represents a significant advancement in web application security. By leveraging these enhanced scanning capabilities, security professionals can better protect their applications from emerging threats and ensure a more robust security posture.
