Share
## https://sploitus.com/exploit?id=082D1BF4-BD88-584D-B38A-7A556EA5E175
# ๐ Next.js RCE Scanner - CVE-2025-55182 & CVE-2025-66478
A powerful and easy-to-use scanner for detecting critical RCE vulnerabilities in Next.js applications
---
## ๐ฏ Overview
An advanced vulnerability scanner for detecting **CVE-2025-55182** and **CVE-2025-66478** - critical Remote Code Execution (RCE) vulnerabilities in Next.js applications using React Server Components (RSC).
This enhanced tool builds upon the excellent research by [Assetnote Security Team](https://github.com/assetnote/react2shell-scanner) with improved detection, ease of use, and comprehensive reporting.
### ๐ Key Features
- **Triple-Layer Detection**: Tests with RCE, Safe, and Vercel WAF bypass payloads
- **Auto-Detection**: Automatically finds `test_urls.txt` in the same directory
- **Dual Mode**: Scan single URL or bulk scan from file
- **Smart Redirect Handling**: Follows redirects with same-host validation
- **Comprehensive Reports**: Export results to JSON, CSV, or HTML
- **Retry Logic**: Built-in resilience with automatic retries
- **Progress Tracking**: Real-time progress bars for bulk scans
- **GUI & CLI**: Optional graphical interface or command-line usage
- **Configurable**: Customize payloads and detection patterns via `config.json`
---
## ๐จ Vulnerability Details
### CVE-2025-55182 & CVE-2025-66478
These vulnerabilities affect Next.js applications using React Server Components through improper handling of multipart form-data requests:
- **Impact**: Remote Code Execution (RCE)
- **Vector**: Malicious multipart form-data payloads to RSC endpoints
- **Affected**: Next.js applications with Server Actions enabled
- **Severity**: Critical
**Exploit Mechanism:**
The vulnerability exploits the RSC protocol's multipart parsing to inject arbitrary JavaScript code that executes server-side, allowing attackers to run system commands.
---
## ๐ฆ Installation
### Quick Setup (Recommended)
**Windows:**
```bash
setup.bat
```
**Linux/macOS:**
```bash
chmod +x setup.sh
./setup.sh
```
### Manual Installation
1. **Clone the repository:**
```bash
git clone https://github.com/yourusername/nextjs-rce-scanner.git
cd nextjs-rce-scanner
```
2. **Create virtual environment (optional but recommended):**
```bash
python -m venv venv
# Windows
venv\Scripts\activate
# Linux/macOS
source venv/bin/activate
```
3. **Install dependencies:**
```bash
pip install -r requirements.txt
```
---
## ๐ Usage
### Quick Scan (Interactive Mode)
The simplest way to start scanning:
**Windows:**
```bash
scan.bat
```
**Linux/macOS:**
```bash
./scan.sh
```
Or directly:
```bash
python quick_scan.py
```
**What happens:**
1. Automatically detects `test_urls.txt` if present
2. Prompts for single URL or loads file
3. Runs triple-layer detection (RCE + Safe + Vercel bypass)
4. Displays results with detailed vulnerability information
### Single URL Scan
```bash
python quick_scan.py
# When prompted, enter: 1
# Enter URL: https://target.com
```
### Bulk Scan from File
Create `test_urls.txt` in the same directory:
```
https://example1.com
https://example2.com
https://example3.com
```
Run scanner:
```bash
python quick_scan.py
# Auto-detects test_urls.txt and scans all URLs
```
### Advanced Usage (Full Engine)
```bash
python nextjs_rce_scanner.py --url https://target.com --payload-type rce
```
**Options:**
- `--url`: Single target URL
- `--file`: Path to file with URLs (one per line)
- `--payload-type`: Payload variant (rce, safe, waf_bypass, vercel_bypass, custom)
- `--output`: Report file path
- `--format`: Report format (json, csv, html)
- `--gui`: Launch graphical interface
- `--timeout`: Request timeout in seconds
- `--max-redirects`: Maximum redirects to follow
- `--verbose`: Detailed output
**Example:**
```bash
python nextjs_rce_scanner.py --file targets.txt --format html --output scan_results.html --verbose
```
---
## ๐ Output Examples
### Console Output
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Next.js RCE Scanner - Triple Layer Detection
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Auto-detected file: test_urls.txt
[*] Loading URLs from file...
[*] Loaded 5 URLs
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[1/5] Scanning: https://example.com
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[โ] RCE Payload Test โ Secure
[โ] Safe Payload Test โ Secure
[โ] Vercel Bypass Test โ Secure
Status: โ
SECURE (0/3 payloads detected vulnerability)
Response: 405 (Method Not Allowed)
```
### Report Files
**JSON Report:**
```json
{
"scan_timestamp": "2025-01-15T10:30:00",
"total_targets": 5,
"vulnerable": 0,
"results": [...]
}
```
**HTML Report:**
Professional formatted report with color-coded results, scan statistics, and detailed findings.
---
## ๐ง Configuration
Customize scanner behavior via `config.json`:
```json
{
"scanner_settings": {
"timeout": 30,
"max_redirects": 5,
"verify_ssl": false
},
"payloads": {
"rce_commands": {
"unix_test": "echo $((41*271))",
"windows_test": "powershell -c \"41*271\""
}
},
"detection": {
"rce_patterns": [".*/login\\?a=11111.*"],
"safe_error_codes": [500]
},
"rate_limiting": {
"enabled": true,
"requests_per_second": 2
}
}
```
---
## ๐ก๏ธ Detection Methods
### Layer 1: RCE Payload
- Injects command execution payload via multipart form-data
- Detects `X-Action-Redirect` header with specific pattern
- Confirms code execution capability
### Layer 2: Safe Payload
- Uses non-destructive test payload
- Checks for 500 status code and error messages
- Identifies vulnerability without exploitation
### Layer 3: Vercel WAF Bypass
- Alternative multipart structure to evade WAF
- Tests different content-type boundaries
- Comprehensive coverage for protected targets
---
## ๐ Project Structure
```
nextjs-rce-scanner/
โโโ nextjs_rce_scanner.py # Main scanner engine (full features)
โโโ quick_scan.py # Simple interactive wrapper
โโโ config.json # Configuration file
โโโ requirements.txt # Python dependencies
โโโ test_urls.txt # URL list for bulk scanning
โโโ setup.sh # Linux/Mac installation script
โโโ setup.bat # Windows installation script
โโโ scan.sh # Linux/Mac quick launcher
โโโ scan.bat # Windows quick launcher
โโโ README.md # This file
โโโ LICENSE # MIT License
```
---
## ๐งช Testing
Test against known vulnerable environments (ethical testing only):
```bash
python quick_scan.py
```
Enter test URL when prompted. The scanner will:
1. Test RCE payload
2. Test Safe payload
3. Test Vercel bypass variant
4. Provide detailed analysis
---
## โ ๏ธ Legal Disclaimer
**FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY**
This tool is provided for security research, vulnerability assessment, and authorized penetration testing. Users must:
- โ
Obtain explicit written permission before scanning any target
- โ
Comply with all applicable laws and regulations
- โ
Use responsibly and ethically
- โ NOT use for unauthorized access or malicious purposes
- โ NOT scan systems you don't own or have permission to test
**The authors assume NO LIABILITY for misuse or damage caused by this tool.**
By using this software, you agree to use it in a legal and responsible manner.
---
## ๐ Credits & References
- **Assetnote Security Team**: Original vulnerability research and [react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
- **CVE-2025-55182 & CVE-2025-66478**: Vulnerability identifiers
- **Next.js Team**: For ongoing security improvements
---
## ๐ License
MIT License - See [LICENSE](LICENSE) file for details
---
## ๐ค Contributing
Contributions are welcome! Please:
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/improvement`)
3. Commit changes (`git commit -am 'Add new feature'`)
4. Push to branch (`git push origin feature/improvement`)
5. Open a Pull Request
---
## ๐ง Contact
For security issues or questions:
- Open an issue on GitHub
- Report vulnerabilities responsibly
---
โญ If this tool helped you, please consider giving it a star! โญ
Made with โค๏ธ for the security community