Share
## https://sploitus.com/exploit?id=CB2A3751-7173-5517-A17A-B8AE41A7876D
# CVE-2025-55182 Batch Detection Tool

An efficient batch detection tool for the Next.js prototype pollution vulnerability (CVE-2025-55182). ## Vulnerability Overview

CVE-2025-55182 is a prototype pollution vulnerability in the Next.js framework. Attackers can exploit this vulnerability by constructing malicious requests that execute arbitrary code through prototype pollution. This vulnerability affects applications using Next.js Server Actions. ## Features

- โœ… **Batch Detection** โ€“ Supports batch importing of assets for vulnerability detection
- โœ… **Multi-thread Concurrency** โ€“ Customizable thread count for efficient concurrent detection
- โœ… **Progress Display** โ€“ Real-time progress bar showing detection progress and vulnerability statistics
- โœ… **Multi-path Detection** โ€“ Automatically detects common paths like `/`, `/apps`, `/signin`
- โœ… **JSON Asset Support** โ€“ Supports reading JSON format asset files
- โœ… **Result Export** โ€“ Detection results are automatically exported to a file
- โœ… **Standalone Execution** โ€“ Can be packaged as an exe for standalone execution, no Python environment required

## Environment Requirements

- Python 3.8+
- Windows / Linux / macOS

## Installation

### Method 1: Run the Python script directly

```bash
# Clone the repository
git clone https://github.com/your-username/CVE-2025-55182.git
cd CVE-2025-55182

# Create a virtual environment
python -m venv venv

# Activate the virtual environment
# Windows:
venv\Scripts\activate
# Linux/macOS:
source venv/bin/activate

# Install dependencies
pip install requests tqdm

# Run the script
python CVE-2025-55182.py
```

### Method 2: Use the packaged exe

Simply download `dist/CVE-2025-55182.exe` and run it. ## Usage

### 1. Prepare asset files

Create a `zc` folder in the same directory as the program, and place the asset JSON files there. The asset file format is one JSON object per line:
```json
{"host":"https://example.com","link":"https://example.com","title":"Example"}
{"host":"https://test.com","link":"https://test.com","title":"Test"}
```

Supported asset fields:
- `link` โ€“ Full URL (required)
- `host` โ€“ Host name
- `title` โ€“ Website title
- `ip` โ€“ IP address
- `port` โ€“ Port number

### 2. Run the program

```bash
python CVE-2025-55182.py
```

Or run the packaged exe directly:
```bash
CVE-2025-55182.exe
```

### 3. Select asset files

After the program starts, it will list all JSON files in the `zc` directory:

```
============================================================
๐Ÿ” CVE-2025-55182 Vulnerability Batch Detection Tool
============================================================

============================================================
๐Ÿ“ Available asset files:
============================================================
 [1] asset1.json (128.5 KB)
 [2] asset2.json (256.3 KB)
============================================================

Please select the asset file number (Press Q to exit): 1
```

### 4. Set the number of threads

```
Current default thread count: 10
Please enter the number of threads (Press Enter to use the default value): 20
โœ… Thread count set to: 20
```

### 5. View detection results

```
Detection progress: 100%|โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ| 1000/1000 [05:30<00:00, 3.03 per second] Vulnerabilities = 5
โœ… Detection completed! Total time: 330.5 seconds
๐Ÿ“Š Total detections: 1000 | Found vulnerabilities: 5
๐Ÿ“„ Vulnerability results have been exported to: D:\work\vuln.txt
```

## Detection Mechanism

1. Construct a multipart/form-data request containing a prototype pollution payload
2. Send a POST request to multiple common paths
3. Check if the response headers contain a command execution result indicator
4. If present, it indicates a vulnerability exists

## Output File

Detection results are saved in the `vuln.txt` file in the same directory as the program. Each line contains a URL where a vulnerability exists:

```
https://vulnerable-site1.com/
https://vulnerable-site2.com/apps
https://vulnerable-site3.com/signin
```

## Configuration Parameters

The following parameters can be modified in the script:

| Parameter | Default Value | Description |
|----------|---------------|------------------|
| `DEFAULT_THREADS` | 10 | Default thread count |
| `ENUM_PATHS` | ["/", "/apps", "/signin"] | List of paths to detect |
| `VULN_FILE_PATH` | vuln.txt | File to export vulnerability results |

## Disclaimer

This tool is intended for security research and authorized testing purposes only. Using this tool for unauthorized testing is illegal. Users must bear all legal responsibilities. The author does not assume responsibility for any misuse. ## License

MIT License

## References

- [Details of CVE-2025-55182 vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Next.js Security Advisory](https://github.com/vercel/next.js/security/advisories)