How to detect React2Shell with Burp Suite

Detecting React2Shell with Burp Suite

React2Shell vulnerabilities in Next.js applications are now scannable across Burp Suite, making it fast to validate your exposure and begin automated coverage using:

• Burp Suite Professional – for manual investigation and validation
• Burp Suite DAST – for continuous, automated coverage across many apps

Both editions of Burp Suite now have access to the latest React2Shell detection logic for Next.js with ActiveScan++ (v2.0.8). Burp Suite Professional also enables targeted custom scan checks for deeper investigation.

How to test for React2Shell in Burp Suite Professional

Manual testing, instant visibility

Burp Suite Professional lets you quickly investigate React2Shell behaviour and validate specific endpoints during hands-on testing. You have two main detection options:

1. ActiveScan++ (v2.0.8) – recommended

   Ensure you have the latest version of ActiveScan++, which includes a dedicated React2Shell check, giving you automated detection directly inside Burp Suite Professional. Once installed, it:

   • Adds React2Shell coverage into your existing manual workflow
   • Runs automatically as part of your active scanning
   • Is ideal for quick investigation and triage of suspected Next.js (React server components) targets

   Note: Current automated checks focus on Next.js applications. Other React frameworks may still require manual investigation and bespoke testing.

   
   

2. Custom scan check (Bambda) for targeted checks

   If you need more focused, on-demand testing, you can import the community-created React2Shell Bambda and run it against specific endpoints or applications.

   This is ideal for quickly validating a suspected vulnerable app or probing specific components to reproduce reported behaviour.

   How to import and run the custom scan check:

   • Download the Bambda
   • In Burp Suite Professional, go to Extensions > Bambda library.
   • Click Import. The Import scripts dialog opens.
   • Select .bambda files or a folder containing .bambda files.
   • Click Open.

How to scan for React2Shell in Burp Suite DAST

If you need to understand React2Shell exposure across many applications or environments, Burp Suite DAST gives you continuous, automated detection at scale.

ActiveScan++ (v2.0.8) in Burp Suite DAST

Burp Suite DAST supports the updated ActiveScan++ extension. Once installed, ActiveScan++ enables automated React2Shell coverage across your Next.js estate, with scans running on a schedule or through your CI/CD pipelines, and results delivered centrally to your AppSec team.

How to enable ActiveScan++ in Burp Suite DAST

• Download the ActiveScan++ BApp here: ActiveScan++ extension
• For a full breakdown of how to install BApps in Burp Suite DAST, go to the user guide.

Start scanning now

Whether you are using Burp Suite Professional yourself or Burp Suite DAST for broad, automated coverage, you can start detecting Next.js-based React2Shell today.

• Install or update ActiveScan++ v2.0.8 in either product.
• (Optional) Add the React2Shell Bambda custom scan check to your Burp Suite Professional application for targeted tests.

We will continue to publish updates as more information and broader detection techniques for other React frameworks become available.

Join the React2Shell conversation

We would love to hear from you. Jump into the PortSwigger Discord to share feedback, tips, and requests with the team and the community.

Join the PortSwigger Discord.

What is React2Shell?

Two new critical vulnerabilities, collectively known as React2Shell (CVE-2025-55182 and CVE-2025-66478), are rapidly gaining traction in the security community. With a CVSS score of 10.0 and unauthenticated remote code execution, many expect a trajectory similar to Log4j, including rapid weaponisation by ransomware groups.

React2Shell affects React and Next.js applications and potentially other frameworks that use React server components.

Because these frameworks underpin a huge number of production apps, a successful exploit can lead to major compromise. For most teams, this should be treated as a high-priority incident.

Early proof-of-concept checks have mostly focused on detecting the presence of React server components. That is not enough to determine exploitability, and not all public PoCs are reliable.

Important: Even if your application does not explicitly call server actions, it may still be vulnerable, as long as it supports React server components.

Tom Ryder