Share
## https://sploitus.com/exploit?id=3BA7FE02-02AC-5981-B0F0-45E99C5A24B0
# ๐Ÿ” Next.js Security Testing Tool


  
  
  
  



  Professional security assessment utility for Next.js applications


---

## โš ๏ธ Disclaimer

**This tool is intended for authorized security testing and research purposes only.**

- โœ… Use only on systems you own or have explicit permission to test
- โœ… For bug bounty programs with proper scope
- โœ… For security researchers and penetration testers
- โŒ Never use against systems without authorization
- โŒ Not for any malicious or illegal activities

By using this software, you agree to comply with all applicable laws and regulations.

---

## ๐Ÿ“– Overview

This utility provides security professionals with a graphical interface for testing Next.js applications against CVE-2025-55182. It helps organizations identify potential security issues in their React Server Components (RSC) implementations.

### What is CVE-2025-55182?

CVE-2025-55182 is a security issue affecting certain versions of Next.js framework. This tool helps security teams:

- Identify affected Next.js installations
- Verify patch status
- Assess security posture
- Document findings for remediation

## โœจ Features

### Security Assessment

| Feature | Description |
|---------|-------------|
| ๐ŸŽฏ **Targeted Testing** | Precise vulnerability assessment |
| ๐Ÿ›ก๏ธ **Safety Checks** | Built-in protections for sensitive domains |
| ๐ŸŒ **Proxy Support** | Route through SOCKS5/HTTP proxies |
| ๐Ÿ“Š **Detailed Reports** | Comprehensive assessment results |
| ๐Ÿ–ฅ๏ธ **GUI Interface** | User-friendly Fyne-based interface |

### Built-in Safeguards

The tool includes responsible disclosure features:

```go
// Automatically blocks testing against:
// - Government domains (.gov)
// - Educational institutions (.edu)
// - Specific geographic regions
```

### Technical Capabilities

- **Protocol Support**: HTTP/HTTPS with configurable SSL verification
- **Proxy Options**: HTTP, HTTPS, SOCKS5 proxy support
- **Connection Handling**: Configurable timeouts and connection pooling
- **Encoding**: Unicode payload encoding for WAF testing

## ๐Ÿš€ Installation

## **For manual installation on Windows & macOS,** 
follow the steps below. macOS users also have the option of using the convenient [DMG file](../../releases).


### Prerequisites

- Go 1.24 or higher
- Fyne dependencies (for GUI)
- Internet connection

### Building from Source

```bash
# Clone the repository
git clone https://github.com/ssmvl2/Nextjs-RCE-Exploit.git
cd Nextjs-RCE-Exploit

# Install dependencies
go mod download

# Build the application
go build -o nextjs-scanner .

# Run
./nextjs-scanner
```

### Cross-Platform Build

```bash
# Windows
GOOS=windows GOARCH=amd64 go build -o nextjs-scanner.exe .

# Linux
GOOS=linux GOARCH=amd64 go build -o nextjs-scanner-linux .

# macOS
GOOS=darwin GOARCH=amd64 go build -o nextjs-scanner-mac .
```

## ๐Ÿ“– Usage

### Launching the Application

```bash
./nextjs-scanner
```

### GUI Interface

The application provides an intuitive graphical interface:

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Next.js Security Assessment Tool                          โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚                                                             โ”‚
โ”‚  Target URL:  [https://example.com________________]         โ”‚
โ”‚                                                             โ”‚
โ”‚  โ˜ Enable Proxy    Proxy: [127.0.0.1:8080________]         โ”‚
โ”‚  โ˜ Verify SSL      Timeout: [30 seconds__________]         โ”‚
โ”‚  โ˜ WAF Bypass Mode                                          โ”‚
โ”‚                                                             โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚
โ”‚  โ”‚ Assessment Log:                                       โ”‚ โ”‚
โ”‚  โ”‚ [2025-01-15 10:30:15] Starting assessment...         โ”‚ โ”‚
โ”‚  โ”‚ [2025-01-15 10:30:16] Connecting to target...        โ”‚ โ”‚
โ”‚  โ”‚ [2025-01-15 10:30:17] Analyzing response...          โ”‚ โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚
โ”‚                                                             โ”‚
โ”‚        [ Start Assessment ]    [ Generate Report ]          โ”‚
โ”‚                                                             โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

### Configuration Options

| Option | Description | Default |
|--------|-------------|---------|
| Target URL | Next.js application URL | Required |
| Enable Proxy | Route through proxy | Disabled |
| Verify SSL | Validate certificates | Enabled |
| Timeout | Request timeout | 30 seconds |
| WAF Bypass | Unicode encoding mode | Disabled |

## ๐Ÿ—๏ธ Architecture

### Project Structure

```
Nextjs-Security-Tool/
โ”œโ”€โ”€ main.go              # Application entry point & GUI
โ”œโ”€โ”€ go.mod               # Go module definition
โ”œโ”€โ”€ go.sum               # Dependency checksums
โ””โ”€โ”€ README.md            # Documentation
```

### Core Components

```go
type RequestHandler struct {
    httpClient     *http.Client
    requestTimeout time.Duration
    sslVerify      bool
    browserAgent   string
}

type PayloadResponse struct {
    Success bool   `json:"success"`
    Result  string `json:"result"`
    Error   string `json:"error,omitempty"`
}
```

### Dependencies

| Package | Purpose |
|---------|---------|
| `fyne.io/fyne/v2` | Cross-platform GUI framework |
| `net/http` | HTTP client functionality |
| `crypto/tls` | TLS/SSL support |
| `encoding/json` | JSON parsing |

## ๐Ÿ”ง Configuration

### Proxy Setup

```go
// HTTP Proxy
handler.ConfigureProxy(true, "http://127.0.0.1:8080")

// SOCKS5 Proxy
handler.ConfigureProxy(true, "socks5://127.0.0.1:1080")
```

### Custom User Agent

The tool uses a realistic browser user agent:
```
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
```

## ๐Ÿ“‹ Responsible Disclosure

If you discover security issues using this tool:

1. **Do not publicly disclose** until vendor is notified
2. **Report to the vendor** with detailed information
3. **Allow reasonable time** for patches (typically 90 days)
4. **Follow coordinated disclosure** practices

### Reporting Channels

- Next.js Security: security@vercel.com
- HackerOne Bug Bounty Programs

## ๐Ÿ›ก๏ธ Legal Notice

This tool is provided for educational and authorized security testing purposes only. Users are responsible for:

- Obtaining proper authorization before testing
- Complying with applicable laws and regulations
- Using the tool ethically and responsibly
- Any consequences resulting from misuse

The authors assume no liability for misuse of this software.

## ๐Ÿค Contributing

Contributions are welcome for:

- Bug fixes
- Documentation improvements
- Safety feature enhancements
- UI/UX improvements

Please submit issues and pull requests through GitHub.

## ๐Ÿ“„ License

This project is licensed under the MIT License. See [LICENSE](LICENSE) for details.

## ๐Ÿ“š References

- [CVE-2025-55182 Details](https://vulners.com/cve/CVE-2025-55182)
- [Next.js Security Documentation](https://nextjs.org/docs/security)
- [React Server Components Security](https://react.dev/reference/rsc)
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)

---


  Built for Security Professionals
  
  ๐Ÿ”’ Test Responsibly ๐Ÿ”’