## https://sploitus.com/exploit?id=7A33DE31-570B-5C3A-8277-57835B665A3A
# CVE-2025-66478 Exploit PoC
This repository contains proof-of-concept (PoC) code for reproducing and researching the Next.js CVE-2025-66478 vulnerability. It includes a vulnerable Next.js application and a Node.js exploit script for testing the vulnerability.
English · [中文](./README_CN.md)
## What is CVE-2025-66478?
This is a **Remote Code Execution (RCE)** vulnerability that occurs during Next.js Server Actions processing.
**Key Points:**
- **Root Cause**: **Insecure deserialization** in the RSC (React Server Components) Flight protocol.
- **Attack Vector**: **Prototype pollution** via the `__proto__` property.
### Vulnerability Summary
| Item | Description |
| :----------------- | :------------------------------------------------- |
| **CVE ID** | CVE-2025-66478 |
| **Type** | Remote Code Execution (RCE) |
| **Root Cause** | Insecure deserialization in RSC Flight protocol |
| **Severity (CVSS)**| 10.0 (Critical) |
| **Impact** | Arbitrary system command execution on the server |
### Attack Mechanism (Technical Details)
1. **Payload Delivery**: The attacker crafts a payload using the React Flight serialization format, injecting properties like `__proto__`.
2. **Insecure Deserialization & Pollution**: The server deserializes the payload without proper validation, resulting in `Object.prototype` being polluted.
3. **Thenable Exploitation Chain**: The pollution injects a `then` property into all objects. Next.js logic incorrectly identifies these objects as **Promises (Thenables)**.
4. **RCE Execution**: When the server attempts to `await` this "fake Promise", the malicious JavaScript code injected into the `then` method is executed (e.g., `child_process.execSync`).
```mermaid
sequenceDiagram
participant Attacker as Attacker
participant Server as Next.js Server
Attacker->>Server: POST / (JSON with "__proto__": {"then": ...})
Note right of Server: JSON parsing pollutes Object.prototype
Server->>Server: Application logic encounters an object
rect rgb(200, 150, 150)
Note right of Server: "Thenable" check exploitation chain
Server->>Server: Check: typeof obj.then === 'function'?
Server-->>Server: Yes (due to pollution)
end
Server->>Server: Await/execute malicious .then()
Note right of Server: Malicious JS code runs (RCE)
Server-->>Attacker: Response (Action redirect / Error message)
```
Therefore, when the server processes this manipulated `Promise`, it executes the `JavaScript` code injected by the attacker, which can lead to system command execution. The included `main.mjs` is example code for reproducing this attack scenario.
## Affected Versions
This vulnerability affects Next.js applications using the **App Router**.
- **Affected Versions**:
- Next.js 15.x
- Next.js 16.x
- Next.js 14.3.0-canary.77 and later (Canary releases)
- **Unaffected Versions**:
- Next.js 13.x
- Next.js 14.x stable versions
- Applications using only Pages Router
- Edge Runtime
**Patched Versions**:
- 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
- 16.0.7
- 15.6.0-canary.58 (for PPR users)
## References
- [Next.js Security Advisories](https://github.com/vercel/next.js/security/advisories)
- [NVD - CVE-2025-66478](https://nvd.nist.gov/vuln/detail/CVE-2025-66478)
- [Python - CVE-2025-66478](https://github.com/namest504/CVE-2025-66478-Exploit-Poc)
## File Structure
- `app/page.tsx`: Sample code for the vulnerable application.
- `exploit.mjs`: Exploit execution script written in Node.js.
## Prerequisites
- **Node.js**: v24 or later recommended.
---
## 1. Running the Next.js Application
```bash
# You can also use yarn or npm.
pnpm install
pnpm dev
```
Verify that you can access `http://localhost:3000` via your browser.
## 2. Running the Exploit Script
```bash
pnpm exploit
```
By default, it targets the local address (`http://localhost:3000`). To test a different address, use the `--url` option:
```bash
pnpm exploit --url http://target-ip:3000
```
## Disclaimer
This code is intended for security research and educational purposes only. Using this tool against systems or networks without prior permission is illegal, and users bear full responsibility for any issues arising from such use.