Exploit for CVE-2025-66478

Name: Exploit for CVE-2025-66478
Rating: 5 (387 reviews)
2025-12-06 | CVSS 7.8
## https://sploitus.com/exploit?id=657B82BF-0A88-5BAC-81BA-24C4DA611EF9
# Next.js CVE-2025-66478 PoC

[**English**](./README.md) | 
[**한국어**](./README_ko.md)


This repository contains a Proof of Concept (PoC) for reproducing and researching the Next.js CVE-2025-66478 vulnerability. It consists of a vulnerable Next.js application and a Python exploit script to test the vulnerability.

## What is CVE-2025-66478?

This is a **Remote Code Execution (RCE)** vulnerability occurring in Next.js Server Actions. The underlying cause is **Prototype Pollution**.

### Vulnerability Summary

| Item | Description |
| :--- | :--- |
| **CVE ID** | CVE-2025-66478 |
| **Type** | Remote Code Execution (RCE) |
| **Root Cause** | Prototype Pollution in Server Actions |
| **Severity (CVSS)** | 10.0 (Critical) |
| **Impact** | Arbitrary system command execution on the server |

### Attack Mechanism

1.  **Pollution**: An attacker sends a specially crafted payload containing `__proto__` properties to a Server Action.
2.  **Property Injection**: During the processing of the request, the prototype of objects (`Object.prototype`) is polluted. This allows injecting arbitrary properties (like `then`) into all objects.
3.  **Thenable Gadget**: Next.js internal logic checks if an object has a `then` method to handle asynchronous operations. The polluted object is misidentified as a **Promise** (thenable) because it now possesses a `then` method.
4.  **RCE**: When the server attempts to execute this "fake Promise", the malicious JavaScript code injected by the attacker is executed. This can invoke functions like `child_process.execSync` to run system commands.

```mermaid
sequenceDiagram
    participant Attacker
    participant Server as Next.js Server
    
    Attacker->>Server: POST / (JSON with "__proto__": {"then": ...})
    Note right of Server: JSON Parsing Pollutes Object.prototype
    
    Server->>Server: Application Logic encounters an Object
    
    rect rgb(200, 150, 150)
    Note right of Server: "Thenable" Check Gadget
    Server->>Server: Checks: typeof obj.then === 'function'?
    Server-->>Server: YES (due to pollution)
    end
    
    Server->>Server: Await/Execute malicious .then()
    Note right of Server: Malicious JS Code Runs (RCE)
    
    Server-->>Attacker: Response (Action Redirect / Error info)
```

Consequently, as the server processes this manipulated Promise, it executes JavaScript code injected by the attacker, which can lead to system command execution. The included `main.py` is example code that reproduces this attack scenario.

## Affected Versions

This vulnerability affects Next.js applications using the **App Router**.

- **Affected**:
    - Next.js 15.x
    - Next.js 16.x
    - Next.js 14.3.0-canary.77 and later (Canary releases)
- **Not Affected**:
    - Next.js 13.x
    - Next.js 14.x Stable releases
    - Pages Router only applications
    - Edge Runtime

**Fixed Versions**:
- 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
- 16.0.7
- 15.6.0-canary.58 (for PPR users)

## References

- [Next.js Security Advisory](https://github.com/vercel/next.js/security/advisories)
- [NVD - CVE-2025-66478](https://nvd.nist.gov/vuln/detail/CVE-2025-66478)


## File Structure

- `next.js/`: Vulnerable Next.js web application example code.
- `exploit/`: Exploit execution script written in Python (`main.py`).

## Prerequisites

- **Node.js**: v18 or higher recommended.
- **Python**: v3.8 or higher recommended.

---

## 1. Running the Next.js Application

First, you need to run the target Next.js server.

1. Navigate to the `next.js` directory:
    ```bash
    cd next.js
    ```

2. Install dependencies:
    ```bash
    npm install
    # You can also use yarn or pnpm.
    ```

3. Start the development server:
    ```bash
    npm run dev
    ```

    Verify that you can access `http://localhost:3000` via your browser.

## 2. Running the Python Exploit

Now you can test the vulnerability using the Python script.

1. Navigate to the `exploit` directory from the project root:
    ```bash
    cd exploit
    ```

2. (Optional) Using a Virtual Environment is recommended:
    ```bash
    python3 -m venv venv
    source venv/bin/activate  # For Windows: venv\Scripts\activate
    ```

3. Install necessary libraries:
    The `requests` module is required.
    ```bash
    pip install requests
    ```

4. Run the script:
    ```bash
    python main.py
    ```

    By default, it targets the local address (`http://localhost:3000`). To test a different address, use the `--url` option:
    ```bash
    python main.py --url http://target-ip:3000
    ```

## Disclaimer

This code is provided for security research and educational purposes only. Using this tool against systems or networks without prior permission is illegal, and the user is solely responsible for any issues that arise from such use.