Share
## https://sploitus.com/exploit?id=7BE27D4E-3799-5AA0-B1BE-8928F48D85C5
# Next.js CVE Auto-Patcher

Automation tool written in Go to scan GitHub repositories, detect vulnerable Next.js versions (CVE-2025-66478), and automatically create Pull Requests with the specific security patch.

## ๐Ÿ“‹ Prerequisites

Make sure you have the following installed and configured in your environment:

1.  **Go** (1.20 or higher)
2.  **Git** (with SSH keys configured and loaded in the agent)
3.  **GitHub CLI (`gh`)**

### Authentication

Before running the tool, you must be authenticated in the GitHub CLI:

```bash
gh auth login
# Select "SSH" as git protocol and "GitHub.com"
```

## ๐Ÿš€ Setup and Installation

1.  **Clone this repository** (where you saved the `main.go` script):

    ```bash
    git clone 
    cd auto-patcher
    ```

2.  **Install Go dependencies**:
    We need the `semver` library for intelligent version comparison.

    ```bash
    go get github.com/Masterminds/semver/v3
    go mod tidy
    ```

## โš™๏ธ Configuration

Currently, configuration is done directly in the constants of the `main.go` file. Review these lines before running:

  * **Target Repo List:** In the `main` function, edit the `gh` command if you want to limit the search to a specific organization or user:
    ```go
    // main.go
    cmd := exec.Command("gh", "repo", "list", "YOUR_ORG_OR_USER", "--limit", "100", ...)
    ```
  * **PR Messages:**
    ```go
    const (
        TargetBranch = "fix/security-nextjs-cve"
        PRTitle      = "fix(deps): upgrade next.js to patch CVE-2025-66478"
    )
    ```

## โ–ถ๏ธ Usage

Simply run the main script:

```bash
go run main.go
```

### Execution Flow:

1.  Lists repositories using `gh repo list`.
2.  Clones each repository into a temporary folder (`/tmp/repo-fixer-*`).
3.  Recursively searches for `package.json` files.
4.  Compares the `next` version against the security rules table (SemVer).
5.  If vulnerable, edits the `package.json` with the minimum required safe version.
6.  Creates a branch, commits, pushes, and opens a Pull Request.

## โš ๏ธ Patching Logic (CVE-2025-66478)

The script applies strict rules to avoid breaking compatibility (doesn't update to *latest*, but to the safe patch of your minor version):

| Detected Version | Applied Patch |
| :--- | :--- |
| `15.0.x` | `^15.0.5` |
| `15.1.x` | `^15.1.9` |
| `15.2.x` | `^15.2.6` |
| ... | ... |

*Check `nextJsRules` in `main.go` for the complete list.*