Share
## https://sploitus.com/exploit?id=16D02C46-7FFB-5708-8D81-4A5B7E53617C
# CVE-2025-55182 Next.js RCE Exploit ๐Ÿš€

![Python](https://img.shields.io/badge/Python-3.x-blue) ![License](https://img.shields.io/badge/License-MIT-green) ![Security](https://img.shields.io/badge/Security-PoC-red)

This is an automated proof-of-concept (PoC) tool targeting the **Next.js React Server Components (CVE-2025-55182)** remote code execution (RCE) vulnerability. The tool integrates features such as **interactive shells**, **smart protocol detection**, and **multithreaded batch scanning**. It is designed for security researchers and penetration testers to quickly validate and exploit this vulnerability. > **โš ๏ธ Disclaimer**: This tool is intended only for cybersecurity education and authorized security testing purposes. Its use for unauthorized attacks is strictly prohibited. Users must bear all legal responsibilities arising from using this tool. ---

## โœจ Key Features

* **Interactive Shell Mode**: Simulates a terminal environment, allowing continuous command execution without the need to run scripts repeatedly. * **Smart Protocol Detection**: Automatically handles invalid inputs (e.g., `192.168.1.1`, `example.com`, or URLs without protocols). The tool will prioritize HTTPS connections and automatically fall back to HTTP if failed. * **Batch Vulnerability Scanning**: Supports importing list files of URLs for high-performance, multithreaded scanning to quickly identify vulnerable targets. * **Auto-duplication**: Automatically removes duplicate targets during batch mode to avoid repeated requests. * **Advanced Payload Encoding (Core Advantage)**:
    * Uses **Node.js native Base64** for command echoing. * Perfectly resolves error messages caused by JSON escape characters. * Supports viewing binary outputs (e.g., `ls -F`) or reading non-text files. * **Does Not Depend on** target systemโ€™s `base64` or `tr` commands (perfectly compatible with lean container environments like Alpine/Distroless). * **Robust Error Handling**: Built-in automatic retry mechanisms and timeout handling, adapted to unstable network environments, and can gracefully handle CMD encoding errors. ---

## ๐Ÿ› ๏ธ Installation Guide

1. **Clone the repository**:
    ```bash
    git clone https://github.com/hualy13/CVE-2025-55182.git
    cd CVE-2025-55182
    ```

2. **Install dependencies**:
    ```bash
    pip install -r requirements.txt
    ```

---

## ๐Ÿ’ป Usage

### 1. Interactive Shell (Recommended)
Connect to the target like in SSH, allowing continuous command execution. ```bash
python CVE-2025-55182.py -u [https://target.com/apps] --shell
```

*Note: If you enter an IP (e.g., `127.0.0.1`), the tool will automatically prioritize HTTPS connections.*

### 2. Batch Scanning

Load target lists from text files for batch detection. Bash
    ```bash
    python CVE-2025-55182.py -f targets.txt -t 20
    ```

- `-f`: Target list file path (one target per line). - `-t`: Number of scanning threads (default: 10). - **Result**: URLs with vulnerabilities will be automatically saved to `success.txt` in the current directory.

### 3. Single Command Execution

Execute a single command and exit, suitable for quick validation. Bash
    ```bash
    python CVE-2025-55182.py -u [https://target.com/apps] -c "id"
    ```

### 4. Proxy Support

Supports configuring HTTP/HTTPS proxies (e.g., using Burp Suite packet analysis). Bash
    ```bash
    python CVE-2025-55182.py -u [https://target.com/apps] --shell -p [http://127.0.0.1:8080]
    ```

------

## ๐Ÿ“ Batch Scanning Input Format

The `targets.txt` file supports mixed formats, and the tool will automatically standardize them:

Plaintext

```
192.168.1.100          # Automatically try [http://192.168.1.100]
10.0.0.5:3000          # Automatically try [http://10.0.0.5:3000]
example.com            # Prioritize trying [https://example.com], fall back to http://
[https://site.com/apps]   # Test as specified
```

------

## ๐Ÿ” Technical Principles

This vulnerability exploits the unsafe deserialization of Payloads in Next.js Server Actions. This tool constructs a malicious JSON Payload with the following execution process:

1. Injects a Node.js `child_process.execSync` call. 2. Uses a `try-catch` block to wrap the execution logic, preventing the server from returning a 500 error due to nonexistent commands or execution errors. 3. Converts the command execution result to a **Base64** string using Node.jsโ€™s internal `Buffer`. 4. Includes the Base64 result in the HTTP response headers (`X-Action-Redirect` or `Location`) for the attacker to view. ------

## โš–๏ธ Legal Statement

The tools and information provided in this repository are intended only for security research and authorized testing purposes. The author assumes no responsibility for any illegal actions or losses resulting from the misuse of this tool. **Do not test any system without explicit authorization.**