## https://sploitus.com/exploit?id=7BE27D4E-3799-5AA0-B1BE-8928F48D85C5
# Next.js CVE Auto-Patcher
Automation tool written in Go to scan GitHub repositories, detect vulnerable Next.js versions (CVE-2025-66478), and automatically create Pull Requests with the specific security patch.
## ๐ Prerequisites
Make sure you have the following installed and configured in your environment:
1. **Go** (1.20 or higher)
2. **Git** (with SSH keys configured and loaded in the agent)
3. **GitHub CLI (`gh`)**
### Authentication
Before running the tool, you must be authenticated in the GitHub CLI:
```bash
gh auth login
# Select "SSH" as git protocol and "GitHub.com"
```
## ๐ Setup and Installation
1. **Clone this repository** (where you saved the `main.go` script):
```bash
git clone
cd auto-patcher
```
2. **Install Go dependencies**:
We need the `semver` library for intelligent version comparison.
```bash
go get github.com/Masterminds/semver/v3
go mod tidy
```
## โ๏ธ Configuration
Currently, configuration is done directly in the constants of the `main.go` file. Review these lines before running:
* **Target Repo List:** In the `main` function, edit the `gh` command if you want to limit the search to a specific organization or user:
```go
// main.go
cmd := exec.Command("gh", "repo", "list", "YOUR_ORG_OR_USER", "--limit", "100", ...)
```
* **PR Messages:**
```go
const (
TargetBranch = "fix/security-nextjs-cve"
PRTitle = "fix(deps): upgrade next.js to patch CVE-2025-66478"
)
```
## โถ๏ธ Usage
Simply run the main script:
```bash
go run main.go
```
### Execution Flow:
1. Lists repositories using `gh repo list`.
2. Clones each repository into a temporary folder (`/tmp/repo-fixer-*`).
3. Recursively searches for `package.json` files.
4. Compares the `next` version against the security rules table (SemVer).
5. If vulnerable, edits the `package.json` with the minimum required safe version.
6. Creates a branch, commits, pushes, and opens a Pull Request.
## โ ๏ธ Patching Logic (CVE-2025-66478)
The script applies strict rules to avoid breaking compatibility (doesn't update to *latest*, but to the safe patch of your minor version):
| Detected Version | Applied Patch |
| :--- | :--- |
| `15.0.x` | `^15.0.5` |
| `15.1.x` | `^15.1.9` |
| `15.2.x` | `^15.2.6` |
| ... | ... |
*Check `nextJsRules` in `main.go` for the complete list.*