From Zero to Manifest V3: How GitHub Copilot Helped Me Finish an RSC Vulnerability Detector for CVE‑2025‑55182

Anuththara Wickramasekara — Sun, 31 May 2026 14:20:47 +0000

This is a submission for the GitHub Finish-Up-A-Thon Challenge

From Zero to Manifest V3: How GitHub Copilot Helped Me Finish an RSC Vulnerability Detector for CVE-2025-55182

What I Built

RSC Fingerprint Detector - a Manifest V3 Chrome extension that performs passive and active reconnaissance of React Server Components (RSC) and the React2Shell vulnerability class (CVE-2025-55182, CVE-2025-66478). These vulnerabilities stem from unsafe deserialisation of the React Flight protocol, enabling unauthenticated remote code execution on any Next.js App Router endpoint.

The extension implements a dual-phase detection pipeline:

Passive fingerprinting: Heuristic analysis of the global namespace (window.__next_f), script asset introspection (react-server-dom-webpack), DOM attribute scanning (data-rsc, data-reactroot), and response header inspection (Content-Type: text/x-component, Vary: RSC).
Active probing: A cross-origin fetch with a custom X-RSC-Probe header, followed by content-type entropy analysis and Flight protocol signature extraction.

The original project was a 50-line ephemeral script that relied on manual DevTools injection. The finished version is a fully isolated, event-driven Chrome extension with a declarative ruleset, persistent IndexedDB storage, and a reactive UI - all built with GitHub Copilot as the primary force multiplier.

Demo

Repository: https://github.com/anuththara2007-W/CVE-2025-55182-Exploit-extension

Visual proof of completion arc:

Before (abandoned console script)	After (production extension)
Only raw console output, no UI, single detection vector	Modern popup, status badges, active probe results, CVE mapping

Before screenshot: https://github.com/anuththara2007-W/CVE-2025-55182-Exploit-extension/raw/main/images/img1.png
After screenshot: https://i.postimg.cc/wT2vX4xH/Annotation-2026-05-31-184616.png

The Comeback Story

December 2025 - The CVE Disclosure

When CVE-2025-55182 was publicly disclosed (CVSS 10.0, unauthenticated RCE via Flight protocol deserialisation), I wrote a minimal Python script that checked for window.__next_f. It worked, but it was a single-vector, synchronous, non-persistent tool. Each scan required manual injection of the script into the target page's console. The script was abandoned after 48 hours because the effort to productionise it (manifest, permission handling, cross-context messaging, error recovery) exceeded the perceived value.

May 2026 - The Revival

The Finish-Up-A-Thon provided a forcing function. Using GitHub Copilot as a context-aware pair programmer, I transformed the script into a production extension with the following architectural improvements:

Component	Original (Dec 2025)	Finished (May 2026)	Technical Depth
Detection vectors	1 (`window.__next_f`)	4 (globals, script asset fingerprinting, DOM attributes, response headers)	Multi-heuristic fusion reduces false negatives
Active fingerprinting	None	`fetch` with `X-RSC-Probe`, content-type parsing, Flight protocol signature detection	AbortController timeout, CORS-aware, idempotent retry
Execution context	Console injection	Isolated content script + background service worker	Cross-context message passing with `chrome.runtime.sendMessage` and mandatory `return true` for async response
State persistence	None (ephemeral)	IndexedDB schema (object stores: `detections`, `flights`) with ACID transactions	Schema versioning, index creation (`timestamp`), FIFO eviction
UI/UX	Raw terminal	Web-based popup with reactive event handlers and status badges	CSS Grid/flex, card design, shadow DOM isolation
Distribution	Local script	Unpacked Chrome extension with `manifest.json` (MV3)	`declarativeNetRequest` permission, `host_permissions` for `<all_urls>`

The completion arc is not just feature addition - it is a migration from an ad-hoc, single-tenant script to a reusable, multi-tenant security utility that respects Chrome's extension security model (CSP, isolated worlds, least privilege).

My Experience with GitHub Copilot - Technical Breakdown

Without Copilot, this extension would still be a forgotten folder. Copilot acted as a semi-autonomous engineering partner, handling the following high-complexity tasks:

Technical Area	Specific Copilot Contribution	Why a Human (or I) Would Have Struggled
Manifest V3 permissions	Generated the entire `manifest.json` with `activeTab`, `scripting`, `declarativeNetRequest`, `host_permissions`, and the correct `service_worker` registration	MV3 deprecated background pages. Copilot knew the new schema and avoided the `persistent` flag error.
Cross-context message passing	Wrote `chrome.runtime.onMessage` listeners with the required `return true` to keep the message channel open for asynchronous `sendResponse`	I would have forgotten `return true`, causing silent failures in the popup.
IndexedDB schema design	Produced the `initDB` function with `onupgradeneeded` handler, object store creation, and index definitions (`timestamp`)	I had never written IndexedDB without a wrapper. Copilot generated transaction boundaries and error recovery.
Declarative DOM scanning	Suggested `document.querySelectorAll('[data-rsc], [data-reactroot], #__next')` and the fallback to `window.__next_f`	I did not know all RSC markers. Copilot extracted them from its training corpus of React codebases.
Active probe fetch with AbortController	Generated a `fetch` with a 2-second timeout, custom headers, and response header extraction, including CORS-aware error handling	Writing a timeout with `AbortController` and cleaning up the abort listener is error-prone. Copilot did it correctly.
Popup UI reactivity	Built the entire HTML/CSS card layout, plus the `addEventListener` wiring and state synchronisation with `chrome.storage.local`	I am not a frontend developer. Copilot produced a modern, accessible UI that works across Chrome versions.
Error recovery and idempotency	Added `try/catch` blocks to every async operation and implemented retry logic for transient IndexedDB lock errors	Without this, the extension would freeze on first error. Copilot made it resilient.

The single most impressive Copilot moment:

When I started typing // Capture RSC responses via webRequest, Copilot auto-completed the entire chrome.webRequest.onHeadersReceived listener, including the filtering condition (details.responseHeaders.some(h => h.name.toLowerCase() === 'content-type' && h.value.includes('text/x-component'))) and the asynchronous saveFlight call. It even added a comment explaining that MV3 requires 'responseHeaders' in the extraInfoSpec array. That single completion saved me 90 minutes of reading Chrome's migration guide.

Copilot did not write the whole extension. I architected the detection heuristics, chose the CVE-2025-55182 mapping, and performed manual testing on live targets (e.g., nextjs.org, vercel.com, local Next.js sandboxes). But Copilot handled the boilerplate, the edge cases, and the Chrome-specific quirks - turning a 50-line script into a 500-line production extension in two evenings.

Technical Deep Dive - How Copilot Solved Specific Problems

Asynchronous idempotency in message handlers

Copilot correctly added return true inside chrome.runtime.onMessage to indicate that the response will be sent asynchronously. Without this, the popup would time out.
IndexedDB versioning and schema migration

Copilot generated the onupgradeneeded block with conditional object store creation, preventing ConstraintError on subsequent extension updates.
Closure serialisation for injected scripts

When injecting the detection function via chrome.scripting.executeScript, Copilot used func instead of code, avoiding CSP violations and maintaining lexical scope.
DeclarativeNetRequest vs WebRequest

Copilot recommended using declarativeNetRequest for passive header inspection, which is more performant and aligns with MV3's shift away from blocking webRequest.
Heuristic entropy reduction

Copilot suggested combining multiple low-certainty signals (e.g., data-rsc + #__next + __next_f) into a confidence score, reducing false positives.

Without Copilot, this extension would not exist. With Copilot, it is a robust, field-ready security tool.

Team submission: Solo developer - Anuththara Wickramasekara

Disclaimer: This tool is intended for authorised security testing and educational purposes only. Use only on systems you own or have explicit permission to test. The author assumes no liability for misuse.

DEV Community: Anuththara Wickramasekara

From Zero to Manifest V3: How GitHub Copilot Helped Me Finish an RSC Vulnerability Detector for CVE‑2025‑55182