Share
## https://sploitus.com/exploit?id=C602E5A1-D28E-534D-BCE7-186F5C933224
# Next.js RSC RCE Exploit Tool (CVE-2025-55182)

![](https://socialify.git.cihttps://socialify.git.ci/se1zer/Nextjs_Exploit_Tool/image?description=1&forks=1&name=1&owner=1&stargazers=1&theme=Light)

---

## Project Overview

CVE-2025-55182 is a high-risk vulnerability present in the Next.js server-side components (RSC). Attackers can exploit this vulnerability by constructing special `multipart/form-data` requests and forged RSC response blocks, thereby inducing the server to execute arbitrary JavaScript code. Ultimately, remote command execution is achieved through `process.mainModule.require('child_process')`. This project encapsulates this vulnerability exploitation chain as a graphical desktop tool, reducing the testing costs for security researchers in authorized testing environments. It includes:

- Automatic arithmetic probe detection
- Synchronous/asynchronous command execution (with/without output)
- Arbitrary JavaScript code execution
- Remote file reading, writing, and directory listing
- Dynamic loading of Node modules
- Unicode / UTF-16 / AES payload obfuscation to evade common WAF detections
- Support for HTTP / HTTPS / SOCKS5 proxies

---

## Quick Start

### 1. Clone the repository

```bash
git clone Nextjs_Exploit_Tool
cd Nextjs_Exploit_Tool
```

### 2. Build the production package

```bash
wails build
```

The built artifacts are located in `build/bin/`:
- macOS: `NextjsExploitTool.app`
- Windows: `NextjsExploitTool.exe`
- Linux: `NextjsExploitTool`

### 3. Cross-compile

```bash
# Windows (cross-compiled from macOS/Linux)
GOOS=windows wails build

# Linux (cross-compiled from macOS, requires mingw-w64)
GOOS=linux wails build
```

> Before cross-compiling, configure the C toolchain for the target platform. See the Wails documentation for details. ---

## Home Page

![usage](image/usage.png)

---

## Disclaimer

This project is intended only for **authorized security testing, research, and educational demonstrations**. Users must comply with local laws and regulations, and must obtain explicit written permission from the owner of the target system. - It must not be used on unauthorized real targets.
- It must not be used to damage, invade, or affect the usability of others’ systems.
- The author assumes no responsibility for any consequences arising from the misuse of this tool.

Using this tool indicates that you have read and agreed to the above terms. If you are unsure whether your actions are legal, do not use it. ---

## License

This project is licensed for research and authorized testing purposes only.