Share
## https://sploitus.com/exploit?id=01672FD0-E275-54B2-B602-C30FB1799691
# Next.js-RSC-RCE-Scanner-CVE-2025-66478

CVE-2025-66478 Next.js 취약점 μŠ€μΊλ„ˆμž…λ‹ˆλ‹€. μ›Ήμ‚¬μ΄νŠΈκ°€ RSC(React Server Components) RCE 취약점에 영ν–₯을 λ°›λŠ” Next.js 버전을 μ‚¬μš©ν•˜κ³  μžˆλŠ”μ§€ κ°μ§€ν•©λ‹ˆλ‹€.

## μ„€μΉ˜ 및 μ‹€ν–‰

### uv μ‚¬μš© (ꢌμž₯)

[uv](https://github.com/astral-sh/uv)λŠ” λΉ λ₯Έ Python νŒ¨ν‚€μ§€ κ΄€λ¦¬μžμž…λ‹ˆλ‹€.

#### 1. uv μ„€μΉ˜

```bash
# macOS/Linux
curl -LsSf https://astral.sh/uv/install.sh | sh

# Windows (PowerShell)
powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
```

#### 2. μ˜μ‘΄μ„± μ„€μΉ˜ 및 μ‹€ν–‰

```bash
# κ°€μƒν™˜κ²½ 생성 및 μ˜μ‘΄μ„± μ„€μΉ˜
uv venv
source .venv/bin/activate  # Windows: .venv\Scripts\activate
uv pip install -r requirements.txt

# Playwright λΈŒλΌμš°μ € μ„€μΉ˜
playwright install chromium

# μŠ€μΊλ„ˆ μ‹€ν–‰
python scanner.py 
```

#### λ˜λŠ” uv run으둜 ν•œ λ²ˆμ— μ‹€ν–‰

```bash
# uv run을 μ‚¬μš©ν•˜λ©΄ κ°€μƒν™˜κ²½ 없이 λ°”λ‘œ μ‹€ν–‰ κ°€λŠ₯
uv run --with playwright scanner.py 

# 단, Playwright λΈŒλΌμš°μ €λŠ” λ³„λ„λ‘œ μ„€μΉ˜ ν•„μš”
uv run --with playwright playwright install chromium
```

### pip μ‚¬μš©

```bash
pip install -r requirements.txt
playwright install chromium
python scanner.py 
```

## μ‚¬μš© μ˜ˆμ‹œ

```bash
# μ›Ήμ‚¬μ΄νŠΈ μŠ€μΊ”
python scanner.py https://example.com

# νƒ€μž„μ•„μ›ƒ μ„€μ • (κΈ°λ³Έκ°’: 30000ms)
python scanner.py https://example.com --timeout 60000
```

## μ·¨μ•½ 버전

- Next.js 14.3.0-canary.77 μ΄μƒμ˜ canary 버전
- Next.js 15.0.0 ~ 15.0.4
- Next.js 15.1.0 ~ 15.1.8
- Next.js 15.2.0 ~ 15.2.5
- Next.js 15.3.0 ~ 15.3.5
- Next.js 15.4.0 ~ 15.4.7
- Next.js 15.5.0 ~ 15.5.6
- Next.js 16.0.0 ~ 16.0.6

## μ’…λ£Œ μ½”λ“œ

- `0`: μ•ˆμ „ν•¨ (패치된 버전 λ˜λŠ” Next.js λ―Έμ‚¬μš©)
- `1`: 취약함
- `2`: μ•Œ 수 μ—†μŒ (버전 확인 λΆˆκ°€)