## https://sploitus.com/exploit?id=0FE93A3E-F38E-5AAB-B4DF-45E12E4E8573
# CVE-2025-55182 โ demo
This repository provides a demonstration of the **CVE-2025-55182** vulnerability, which allows for remote code execution (RCE) in vulnerable Next.js applications.
**References:**
- CVE entry: https://vulners.com/cve/CVE-2025-55182
- Related PoC: https://github.com/msanft/CVE-2025-55182
> [!WARNING]
> This demonstration is provided for security research, testing, and educational purposes only. Do not use it against systems for which you do not have explicit authorization.
## Getting Started
**Prerequisites**
- Docker and Docker Compose installed and running.
- Python 3.8+ with `venv` support.
> [!NOTE]
> Run the commands from the root folder unless otherwise noted.
### Start the vulnerable Next.js application
From the project root, run:
```bash
docker compose -f nextjs-target/compose.yml up --build -d
```
By default the application is served at `http://localhost:3000`.
### Run the exploit script
1. Create and activate a Python virtual environment:
```bash
python3 -m venv .venv
source .venv/bin/activate # macOS / Linux
# .venv\Scripts\activate # Windows (PowerShell/CMD)
```
2. Install dependencies:
```bash
pip install -r requirements.txt
```
3. Run the PoC (replace `HOST`/`PORT`/`ENDPOINT` as appropriate):
```bash
python exploit.py --host 127.0.0.1 --port 3000 --endpoint /
```
> [!WARNING]
> The script demonstrates command execution against a vulnerable target. Use it only on systems where you have explicit permission to test.
## Examples
Common commands to run on a permitted test target (examples only):
```bash
ls -la
env
```
## Stopping the target app
Stop and remove containers:
```bash
docker compose -f nextjs-target/compose.yml down
```