## https://sploitus.com/exploit?id=16D02C46-7FFB-5708-8D81-4A5B7E53617C
# CVE-2025-55182 Next.js RCE Exploit ๐
  
This is an automated proof-of-concept (PoC) tool targeting the **Next.js React Server Components (CVE-2025-55182)** remote code execution (RCE) vulnerability. The tool integrates features such as **interactive shells**, **smart protocol detection**, and **multithreaded batch scanning**. It is designed for security researchers and penetration testers to quickly validate and exploit this vulnerability. > **โ ๏ธ Disclaimer**: This tool is intended only for cybersecurity education and authorized security testing purposes. Its use for unauthorized attacks is strictly prohibited. Users must bear all legal responsibilities arising from using this tool. ---
## โจ Key Features
* **Interactive Shell Mode**: Simulates a terminal environment, allowing continuous command execution without the need to run scripts repeatedly. * **Smart Protocol Detection**: Automatically handles invalid inputs (e.g., `192.168.1.1`, `example.com`, or URLs without protocols). The tool will prioritize HTTPS connections and automatically fall back to HTTP if failed. * **Batch Vulnerability Scanning**: Supports importing list files of URLs for high-performance, multithreaded scanning to quickly identify vulnerable targets. * **Auto-duplication**: Automatically removes duplicate targets during batch mode to avoid repeated requests. * **Advanced Payload Encoding (Core Advantage)**:
* Uses **Node.js native Base64** for command echoing. * Perfectly resolves error messages caused by JSON escape characters. * Supports viewing binary outputs (e.g., `ls -F`) or reading non-text files. * **Does Not Depend on** target systemโs `base64` or `tr` commands (perfectly compatible with lean container environments like Alpine/Distroless). * **Robust Error Handling**: Built-in automatic retry mechanisms and timeout handling, adapted to unstable network environments, and can gracefully handle CMD encoding errors. ---
## ๐ ๏ธ Installation Guide
1. **Clone the repository**:
```bash
git clone https://github.com/hualy13/CVE-2025-55182.git
cd CVE-2025-55182
```
2. **Install dependencies**:
```bash
pip install -r requirements.txt
```
---
## ๐ป Usage
### 1. Interactive Shell (Recommended)
Connect to the target like in SSH, allowing continuous command execution. ```bash
python CVE-2025-55182.py -u [https://target.com/apps] --shell
```
*Note: If you enter an IP (e.g., `127.0.0.1`), the tool will automatically prioritize HTTPS connections.*
### 2. Batch Scanning
Load target lists from text files for batch detection. Bash
```bash
python CVE-2025-55182.py -f targets.txt -t 20
```
- `-f`: Target list file path (one target per line). - `-t`: Number of scanning threads (default: 10). - **Result**: URLs with vulnerabilities will be automatically saved to `success.txt` in the current directory.
### 3. Single Command Execution
Execute a single command and exit, suitable for quick validation. Bash
```bash
python CVE-2025-55182.py -u [https://target.com/apps] -c "id"
```
### 4. Proxy Support
Supports configuring HTTP/HTTPS proxies (e.g., using Burp Suite packet analysis). Bash
```bash
python CVE-2025-55182.py -u [https://target.com/apps] --shell -p [http://127.0.0.1:8080]
```
------
## ๐ Batch Scanning Input Format
The `targets.txt` file supports mixed formats, and the tool will automatically standardize them:
Plaintext
```
192.168.1.100 # Automatically try [http://192.168.1.100]
10.0.0.5:3000 # Automatically try [http://10.0.0.5:3000]
example.com # Prioritize trying [https://example.com], fall back to http://
[https://site.com/apps] # Test as specified
```
------
## ๐ Technical Principles
This vulnerability exploits the unsafe deserialization of Payloads in Next.js Server Actions. This tool constructs a malicious JSON Payload with the following execution process:
1. Injects a Node.js `child_process.execSync` call. 2. Uses a `try-catch` block to wrap the execution logic, preventing the server from returning a 500 error due to nonexistent commands or execution errors. 3. Converts the command execution result to a **Base64** string using Node.jsโs internal `Buffer`. 4. Includes the Base64 result in the HTTP response headers (`X-Action-Redirect` or `Location`) for the attacker to view. ------
## โ๏ธ Legal Statement
The tools and information provided in this repository are intended only for security research and authorized testing purposes. The author assumes no responsibility for any illegal actions or losses resulting from the misuse of this tool. **Do not test any system without explicit authorization.**