Share
## https://sploitus.com/exploit?id=785AD78D-76DD-52C3-82DA-D372606843B3
# ๐ Next.js Security Testing Tool
Professional security assessment utility for Next.js applications
---
## โ ๏ธ Disclaimer
**This tool is intended for authorized security testing and research purposes only.**
- โ
Use only on systems you own or have explicit permission to test
- โ
For bug bounty programs with proper scope
- โ
For security researchers and penetration testers
- โ Never use against systems without authorization
- โ Not for any malicious or illegal activities
By using this software, you agree to comply with all applicable laws and regulations.
---
## ๐ Overview
This utility provides security professionals with a graphical interface for testing Next.js applications against CVE-2025-55182. It helps organizations identify potential security issues in their React Server Components (RSC) implementations.
### What is CVE-2025-55182?
CVE-2025-55182 is a security issue affecting certain versions of Next.js framework. This tool helps security teams:
- Identify affected Next.js installations
- Verify patch status
- Assess security posture
- Document findings for remediation
## โจ Features
### Security Assessment
| Feature | Description |
|---------|-------------|
| ๐ฏ **Targeted Testing** | Precise vulnerability assessment |
| ๐ก๏ธ **Safety Checks** | Built-in protections for sensitive domains |
| ๐ **Proxy Support** | Route through SOCKS5/HTTP proxies |
| ๐ **Detailed Reports** | Comprehensive assessment results |
| ๐ฅ๏ธ **GUI Interface** | User-friendly Fyne-based interface |
### Built-in Safeguards
The tool includes responsible disclosure features:
```go
// Automatically blocks testing against:
// - Government domains (.gov)
// - Educational institutions (.edu)
// - Specific geographic regions
```
### Technical Capabilities
- **Protocol Support**: HTTP/HTTPS with configurable SSL verification
- **Proxy Options**: HTTP, HTTPS, SOCKS5 proxy support
- **Connection Handling**: Configurable timeouts and connection pooling
- **Encoding**: Unicode payload encoding for WAF testing
## ๐ Installation
## **For manual installation on Windows & macOS,**
follow the steps below. macOS users also have the option of using the convenient [DMG file](../../releases).
### Prerequisites
- Go 1.24 or higher
- Fyne dependencies (for GUI)
- Internet connection
### Building from Source
```bash
# Clone the repository
git clone https://github.com/ssmvl2/Nextjs-RCE-Exploit.git
cd Nextjs-RCE-Exploit
# Install dependencies
go mod download
# Build the application
go build -o nextjs-scanner .
# Run
./nextjs-scanner
```
### Cross-Platform Build
```bash
# Windows
GOOS=windows GOARCH=amd64 go build -o nextjs-scanner.exe .
# Linux
GOOS=linux GOARCH=amd64 go build -o nextjs-scanner-linux .
# macOS
GOOS=darwin GOARCH=amd64 go build -o nextjs-scanner-mac .
```
## ๐ Usage
### Launching the Application
```bash
./nextjs-scanner
```
### GUI Interface
The application provides an intuitive graphical interface:
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Next.js Security Assessment Tool โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Target URL: [https://example.com________________] โ
โ โ
โ โ Enable Proxy Proxy: [127.0.0.1:8080________] โ
โ โ Verify SSL Timeout: [30 seconds__________] โ
โ โ WAF Bypass Mode โ
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Assessment Log: โ โ
โ โ [2025-01-15 10:30:15] Starting assessment... โ โ
โ โ [2025-01-15 10:30:16] Connecting to target... โ โ
โ โ [2025-01-15 10:30:17] Analyzing response... โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ [ Start Assessment ] [ Generate Report ] โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
### Configuration Options
| Option | Description | Default |
|--------|-------------|---------|
| Target URL | Next.js application URL | Required |
| Enable Proxy | Route through proxy | Disabled |
| Verify SSL | Validate certificates | Enabled |
| Timeout | Request timeout | 30 seconds |
| WAF Bypass | Unicode encoding mode | Disabled |
## ๐๏ธ Architecture
### Project Structure
```
Nextjs-Security-Tool/
โโโ main.go # Application entry point & GUI
โโโ go.mod # Go module definition
โโโ go.sum # Dependency checksums
โโโ README.md # Documentation
```
### Core Components
```go
type RequestHandler struct {
httpClient *http.Client
requestTimeout time.Duration
sslVerify bool
browserAgent string
}
type PayloadResponse struct {
Success bool `json:"success"`
Result string `json:"result"`
Error string `json:"error,omitempty"`
}
```
### Dependencies
| Package | Purpose |
|---------|---------|
| `fyne.io/fyne/v2` | Cross-platform GUI framework |
| `net/http` | HTTP client functionality |
| `crypto/tls` | TLS/SSL support |
| `encoding/json` | JSON parsing |
## ๐ง Configuration
### Proxy Setup
```go
// HTTP Proxy
handler.ConfigureProxy(true, "http://127.0.0.1:8080")
// SOCKS5 Proxy
handler.ConfigureProxy(true, "socks5://127.0.0.1:1080")
```
### Custom User Agent
The tool uses a realistic browser user agent:
```
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
```
## ๐ Responsible Disclosure
If you discover security issues using this tool:
1. **Do not publicly disclose** until vendor is notified
2. **Report to the vendor** with detailed information
3. **Allow reasonable time** for patches (typically 90 days)
4. **Follow coordinated disclosure** practices
### Reporting Channels
- Next.js Security: security@vercel.com
- HackerOne Bug Bounty Programs
## ๐ก๏ธ Legal Notice
This tool is provided for educational and authorized security testing purposes only. Users are responsible for:
- Obtaining proper authorization before testing
- Complying with applicable laws and regulations
- Using the tool ethically and responsibly
- Any consequences resulting from misuse
The authors assume no liability for misuse of this software.
## ๐ค Contributing
Contributions are welcome for:
- Bug fixes
- Documentation improvements
- Safety feature enhancements
- UI/UX improvements
Please submit issues and pull requests through GitHub.
## ๐ License
This project is licensed under the MIT License. See [LICENSE](LICENSE) for details.
## ๐ References
- [CVE-2025-55182 Details](https://vulners.com/cve/CVE-2025-55182)
- [Next.js Security Documentation](https://nextjs.org/docs/security)
- [React Server Components Security](https://react.dev/reference/rsc)
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
---
Built for Security Professionals
๐ Test Responsibly ๐