This scanner checks whether your application is vulnerable to CVE-2025-55182 (React2Shell) by testing how your server handles React Server Component (RSC) requests. It looks for unsafe deserialization behaviour associated with vulnerable react-server-dom-* packages. The scan is non-destructive and focuses on detection, not exploitation.

Blaclock.io custom scanner sends carefully crafted RSC requests (multipart POST request) with RCE proof-of-concept payload to your application. It analyses server responses and behaviour to determine whether the backend processes malicious payloads in a way that indicates vulnerability, without executing harmful commands or modifying server state.

Yes. We only collect the target URL and email address to perform the scan and deliver results. Scan data and submitted email address is not shared, sold, or used for marketing. Information is retained only for operational and security purposes and handled in accordance with industry-standard data protection practices.

No. The scanner is designed to be safe and low-impact. It does not exploit the vulnerability, execute system commands, or modify application data. Requests closely resemble legitimate RSC traffic and should not affect availability or performance of production systems. No vulnerability exploitation is performed.

If a vulnerability is detected, immediately upgrade affected React and framework dependencies to patched versions. Review server logs for suspicious activity, apply temporary WAF rules if needed, and validate that no compromise has occurred. Consider a full security assessment to ensure no further exposure exists.

Yes. If your application is vulnerable or you want further assurance, we can assist with remediation guidance, patch validation, and in-depth penetration testing. Our team can also perform broader assessments covering web applications, APIs, and infrastructure to ensure the vulnerability is fully addressed and no additional risks remain