Share
## https://sploitus.com/exploit?id=082D1BF4-BD88-584D-B38A-7A556EA5E175
# ๐Ÿ” Next.js RCE Scanner - CVE-2025-55182 & CVE-2025-66478


  
  
  
  



  A powerful and easy-to-use scanner for detecting critical RCE vulnerabilities in Next.js applications


---

## ๐ŸŽฏ Overview

An advanced vulnerability scanner for detecting **CVE-2025-55182** and **CVE-2025-66478** - critical Remote Code Execution (RCE) vulnerabilities in Next.js applications using React Server Components (RSC).

This enhanced tool builds upon the excellent research by [Assetnote Security Team](https://github.com/assetnote/react2shell-scanner) with improved detection, ease of use, and comprehensive reporting.

### ๐ŸŒŸ Key Features

- **Triple-Layer Detection**: Tests with RCE, Safe, and Vercel WAF bypass payloads
- **Auto-Detection**: Automatically finds `test_urls.txt` in the same directory
- **Dual Mode**: Scan single URL or bulk scan from file
- **Smart Redirect Handling**: Follows redirects with same-host validation
- **Comprehensive Reports**: Export results to JSON, CSV, or HTML
- **Retry Logic**: Built-in resilience with automatic retries
- **Progress Tracking**: Real-time progress bars for bulk scans
- **GUI & CLI**: Optional graphical interface or command-line usage
- **Configurable**: Customize payloads and detection patterns via `config.json`

---

## ๐Ÿšจ Vulnerability Details

### CVE-2025-55182 & CVE-2025-66478

These vulnerabilities affect Next.js applications using React Server Components through improper handling of multipart form-data requests:

- **Impact**: Remote Code Execution (RCE)
- **Vector**: Malicious multipart form-data payloads to RSC endpoints
- **Affected**: Next.js applications with Server Actions enabled
- **Severity**: Critical

**Exploit Mechanism:**
The vulnerability exploits the RSC protocol's multipart parsing to inject arbitrary JavaScript code that executes server-side, allowing attackers to run system commands.

---

## ๐Ÿ“ฆ Installation

### Quick Setup (Recommended)

**Windows:**
```bash
setup.bat
```

**Linux/macOS:**
```bash
chmod +x setup.sh
./setup.sh
```

### Manual Installation

1. **Clone the repository:**
```bash
git clone https://github.com/yourusername/nextjs-rce-scanner.git
cd nextjs-rce-scanner
```

2. **Create virtual environment (optional but recommended):**
```bash
python -m venv venv

# Windows
venv\Scripts\activate

# Linux/macOS
source venv/bin/activate
```

3. **Install dependencies:**
```bash
pip install -r requirements.txt
```

---

## ๐Ÿš€ Usage

### Quick Scan (Interactive Mode)

The simplest way to start scanning:

**Windows:**
```bash
scan.bat
```

**Linux/macOS:**
```bash
./scan.sh
```

Or directly:
```bash
python quick_scan.py
```

**What happens:**
1. Automatically detects `test_urls.txt` if present
2. Prompts for single URL or loads file
3. Runs triple-layer detection (RCE + Safe + Vercel bypass)
4. Displays results with detailed vulnerability information

### Single URL Scan

```bash
python quick_scan.py
# When prompted, enter: 1
# Enter URL: https://target.com
```

### Bulk Scan from File

Create `test_urls.txt` in the same directory:
```
https://example1.com
https://example2.com
https://example3.com
```

Run scanner:
```bash
python quick_scan.py
# Auto-detects test_urls.txt and scans all URLs
```

### Advanced Usage (Full Engine)

```bash
python nextjs_rce_scanner.py --url https://target.com --payload-type rce
```

**Options:**
- `--url`: Single target URL
- `--file`: Path to file with URLs (one per line)
- `--payload-type`: Payload variant (rce, safe, waf_bypass, vercel_bypass, custom)
- `--output`: Report file path
- `--format`: Report format (json, csv, html)
- `--gui`: Launch graphical interface
- `--timeout`: Request timeout in seconds
- `--max-redirects`: Maximum redirects to follow
- `--verbose`: Detailed output

**Example:**
```bash
python nextjs_rce_scanner.py --file targets.txt --format html --output scan_results.html --verbose
```

---

## ๐Ÿ“Š Output Examples

### Console Output
```
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
๐Ÿ” Next.js RCE Scanner - Triple Layer Detection
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] Auto-detected file: test_urls.txt
[*] Loading URLs from file...
[*] Loaded 5 URLs

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
[1/5] Scanning: https://example.com
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”

  [โœ“] RCE Payload Test       โ†’ Secure
  [โœ“] Safe Payload Test      โ†’ Secure
  [โœ“] Vercel Bypass Test     โ†’ Secure

  Status: โœ… SECURE (0/3 payloads detected vulnerability)
  Response: 405 (Method Not Allowed)
```

### Report Files

**JSON Report:**
```json
{
  "scan_timestamp": "2025-01-15T10:30:00",
  "total_targets": 5,
  "vulnerable": 0,
  "results": [...]
}
```

**HTML Report:**
Professional formatted report with color-coded results, scan statistics, and detailed findings.

---

## ๐Ÿ”ง Configuration

Customize scanner behavior via `config.json`:

```json
{
  "scanner_settings": {
    "timeout": 30,
    "max_redirects": 5,
    "verify_ssl": false
  },
  "payloads": {
    "rce_commands": {
      "unix_test": "echo $((41*271))",
      "windows_test": "powershell -c \"41*271\""
    }
  },
  "detection": {
    "rce_patterns": [".*/login\\?a=11111.*"],
    "safe_error_codes": [500]
  },
  "rate_limiting": {
    "enabled": true,
    "requests_per_second": 2
  }
}
```

---

## ๐Ÿ›ก๏ธ Detection Methods

### Layer 1: RCE Payload
- Injects command execution payload via multipart form-data
- Detects `X-Action-Redirect` header with specific pattern
- Confirms code execution capability

### Layer 2: Safe Payload
- Uses non-destructive test payload
- Checks for 500 status code and error messages
- Identifies vulnerability without exploitation

### Layer 3: Vercel WAF Bypass
- Alternative multipart structure to evade WAF
- Tests different content-type boundaries
- Comprehensive coverage for protected targets

---

## ๐Ÿ“‚ Project Structure

```
nextjs-rce-scanner/
โ”œโ”€โ”€ nextjs_rce_scanner.py   # Main scanner engine (full features)
โ”œโ”€โ”€ quick_scan.py            # Simple interactive wrapper
โ”œโ”€โ”€ config.json              # Configuration file
โ”œโ”€โ”€ requirements.txt         # Python dependencies
โ”œโ”€โ”€ test_urls.txt            # URL list for bulk scanning
โ”œโ”€โ”€ setup.sh                 # Linux/Mac installation script
โ”œโ”€โ”€ setup.bat                # Windows installation script
โ”œโ”€โ”€ scan.sh                  # Linux/Mac quick launcher
โ”œโ”€โ”€ scan.bat                 # Windows quick launcher
โ”œโ”€โ”€ README.md                # This file
โ””โ”€โ”€ LICENSE                  # MIT License
```

---

## ๐Ÿงช Testing

Test against known vulnerable environments (ethical testing only):

```bash
python quick_scan.py
```

Enter test URL when prompted. The scanner will:
1. Test RCE payload
2. Test Safe payload
3. Test Vercel bypass variant
4. Provide detailed analysis

---

## โš ๏ธ Legal Disclaimer

**FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY**

This tool is provided for security research, vulnerability assessment, and authorized penetration testing. Users must:

- โœ… Obtain explicit written permission before scanning any target
- โœ… Comply with all applicable laws and regulations
- โœ… Use responsibly and ethically
- โŒ NOT use for unauthorized access or malicious purposes
- โŒ NOT scan systems you don't own or have permission to test

**The authors assume NO LIABILITY for misuse or damage caused by this tool.**

By using this software, you agree to use it in a legal and responsible manner.

---

## ๐Ÿ™ Credits & References

- **Assetnote Security Team**: Original vulnerability research and [react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
- **CVE-2025-55182 & CVE-2025-66478**: Vulnerability identifiers
- **Next.js Team**: For ongoing security improvements

---

## ๐Ÿ“ License

MIT License - See [LICENSE](LICENSE) file for details

---

## ๐Ÿค Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch (`git checkout -b feature/improvement`)
3. Commit changes (`git commit -am 'Add new feature'`)
4. Push to branch (`git push origin feature/improvement`)
5. Open a Pull Request

---

## ๐Ÿ“ง Contact

For security issues or questions:
- Open an issue on GitHub
- Report vulnerabilities responsibly

---


  โญ If this tool helped you, please consider giving it a star! โญ



  Made with โค๏ธ for the security community