Share
## https://sploitus.com/exploit?id=CEDEA686-C278-503E-8134-88080E9143D8
# CVE-2025-55182 Exploitation Tool
A comprehensive security research tool for testing Next.js React Server Components Remote Code Execution vulnerability (CVE-2025-55182).
## Overview
This toolkit provides automated detection and exploitation capabilities for CVE-2025-55182, a critical RCE vulnerability affecting Next.js applications using React Server Components. The toolkit consists of three integrated components:
- **NextApp.py** - Intelligent Next.js application fingerprinting scanner
- **exploit.sh** - Flexible exploitation tool for single or bulk targets
- **auto_exploit.sh** - End-to-end automated scanning and exploitation orchestrator
## Features
- **Multi-layered Detection**: Header analysis, body scanning, and JavaScript fingerprinting
- **Confidence Scoring**: Intelligent classification (High/Medium/Low) to minimize false positives
- **WAF Bypass**: Built-in techniques to evade common web application firewalls
- **Bulk Scanning**: Process multiple targets efficiently with detailed reporting
- **Automated Workflow**: One-command detection and exploitation
- **Detailed Reporting**: Comprehensive output files with categorized results
## Requirements
### Python Components
- Python 3.x
- `requests` library
```bash
pip3 install requests
```
### Bash Components
- curl
- openssl
- Standard Unix utilities (sed, grep, awk, mktemp)
## Installation
```bash
git clone https://github.com/yourusername/CVE-2025-55182-poc-tool.git
cd CVE-2025-55182-poc-tool
chmod +x exploit.sh auto_exploit.sh
```
## Usage
### Quick Start (Recommended)
The fastest way to scan and exploit targets:
```bash
# Create a file with target URLs (one per line)
echo "https://example.com" > targets.txt
# Auto-scan and exploit in one command
./auto_exploit.sh -i targets.txt -s -c "id"
```
### Detection Only
Identify Next.js applications without exploitation:
```bash
python3 NextApp.py targets.txt
```
**Output files:**
- `confirmed_nextjs_targets.txt` - All detected Next.js applications
- `high_confidence_nextjs_targets.txt` - High-confidence detections only
### Single Target Exploitation
Test individual targets:
```bash
# Basic exploitation
./exploit.sh -d https://target.com -c "whoami"
# With WAF bypass
./exploit.sh -d target.com -c "cat /etc/passwd" -w
# Custom WAF bypass size
./exploit.sh -d target.com -c "ls -la" --waf-bypass --waf-size 256
# Skip SSL verification
./exploit.sh -d https://target.com -c "id" -k
```
### Bulk Exploitation
#### Option 1: Unified Workflow (Recommended)
```bash
./auto_exploit.sh -i targets.txt -s -c "whoami"
```
#### Option 2: Two-Step Manual Workflow
```bash
# Step 1: Detect Next.js applications
python3 NextApp.py targets.txt
# Step 2: Exploit confirmed targets
./auto_exploit.sh -c "id"
```
### Advanced Options
```bash
# Full auto-scan with WAF bypass
./auto_exploit.sh -i targets.txt -s -w --waf-size 256 -c "whoami"
# Custom delays and timeouts
./auto_exploit.sh -i targets.txt -s --delay 5 --timeout 30 -c "id"
# Skip SSL verification in bulk mode
./auto_exploit.sh -i targets.txt -s -k -c "hostname"
```
## Command Reference
### NextApp.py
```bash
python3 NextApp.py
```
**Arguments:**
- `targets_file` - Text file containing target URLs (one per line)
### exploit.sh
```bash
./exploit.sh [OPTIONS]
```
**Options:**
| Option | Description | Default |
|--------|-------------|---------|
| `-d, --domain` | Target domain/URL | http://localhost:3000 |
| `-f, --file` | File with target list | - |
| `-c, --command` | Command to execute | id |
| `-w, --waf-bypass` | Enable WAF bypass | Disabled |
| `--waf-size SIZE` | WAF bypass data size (KB) | 128 |
| `--timeout SECONDS` | Request timeout | 15 |
| `-k, --insecure` | Skip SSL verification | Disabled |
| `--user-agent AGENT` | Custom User-Agent | Mozilla/5.0... |
| `-h, --help` | Show help message | - |
### auto_exploit.sh
```bash
./auto_exploit.sh [OPTIONS]
```
**Options:**
| Option | Description | Default |
|--------|-------------|---------|
| `-i, --input FILE` | Input targets file | confirmed_nextjs_targets.txt |
| `-o, --output FILE` | Output results file | exploit_results.txt |
| `-c, --command CMD` | Command to execute | id |
| `-w, --waf-bypass` | Enable WAF bypass | Disabled |
| `--waf-size SIZE` | WAF bypass size (KB) | 128 |
| `--timeout SECONDS` | Request timeout | 15 |
| `-k, --insecure` | Skip SSL verification | Disabled |
| `--delay SECONDS` | Delay between requests | 2 |
| `-s, --scan` | Auto-scan for Next.js first | Disabled |
| `-h, --help` | Show help message | - |
## Output Files
### confirmed_nextjs_targets.txt
Generated by `NextApp.py` - contains all URLs identified as Next.js applications.
### high_confidence_nextjs_targets.txt
Generated by `NextApp.py` - contains only high-confidence Next.js detections (100+ confidence score).
### exploit_results.txt
Generated by `auto_exploit.sh` - comprehensive exploitation report including:
- Vulnerable targets with command output
- Non-vulnerable targets
- Errors and their details
- Summary statistics
## Detection Methodology
The scanner uses multiple detection techniques with a confidence scoring system:
### Header Analysis (50 points each)
- Next.js specific headers: `x-nextjs-*`, `x-vercel-*`
- `x-powered-by: Next.js`
- Server: Vercel
### Body Scanning
- `__NEXT_DATA__` presence (100 points)
- Next.js buildId pattern (50 points)
- `_next/*` asset paths (25-75 points based on quantity)
### JavaScript Fingerprinting (60 points)
- `__NEXT_DATA__`, `__NEXT_LOADED_PAGES__`
- `middlewareManifest`, `self.__RSC_MANIFEST`
**Confidence Thresholds:**
- **High (100+)**: Multiple strong indicators
- **Medium (75-99)**: Several moderate indicators
- **Low (50-74)**: Minimal evidence
- **Below 50**: Rejected as false positive
## Exploitation Mechanism
The exploit leverages a prototype pollution chain in Next.js React Server Components:
1. Constructs multipart form data with nested payload
2. Pollutes `__proto__` chain via JSON deserialization
3. Injects arbitrary JavaScript into `_response._prefix`
4. Executes commands via `process.mainModule.require('child_process').execSync()`
5. Extracts results from `X-Action-Redirect` header
6. URL-decodes and formats output
## WAF Bypass Techniques
The toolkit includes built-in WAF bypass capabilities:
- **Junk Data Injection**: Prepends random data to bypass size-based filters
- **Dynamic Boundaries**: Randomized multipart boundaries
- **Request ID Randomization**: Unique IDs per request
- **Configurable Size**: Adjustable junk data size (default 128KB)
Enable with `-w` or `--waf-bypass` flags.
## Examples
### Scan and Exploit Web Application
```bash
# Create target list
cat > targets.txt << EOF
https://app.example.com
https://dashboard.example.com
https://admin.example.com
EOF
# Run unified scan
./auto_exploit.sh -i targets.txt -s -c "whoami"
# Check results
cat exploit_results.txt
```
### Test Single Target with WAF Bypass
```bash
./exploit.sh -d https://target.com -c "cat /etc/passwd" -w --waf-size 256
```
### High-Confidence Targets Only
```bash
# Step 1: Detect and filter
python3 NextApp.py targets.txt
# Step 2: Exploit high-confidence only
./auto_exploit.sh -i high_confidence_nextjs_targets.txt -c "id"
```
## Legal Disclaimer
This tool is intended for authorized security testing and research purposes only. Users must:
- โ
Obtain explicit written permission before testing any systems
- โ
Use only in authorized penetration testing engagements
- โ
Comply with all applicable laws and regulations
- โ
Use for defensive security research and CTF competitions
**Unauthorized access to computer systems is illegal.** The authors assume no liability for misuse of this tool.
## Vulnerability Information
- **CVE ID**: CVE-2025-55182
- **Affected**: Next.js React Server Components
- **Type**: Remote Code Execution (RCE)
- **Severity**: Critical
## Credits
Thanks to the security researchers who discovered and disclosed this vulnerability:
- @zack0x01
- @infosec_au
- @pdiscoveryio
## Contributing
Contributions are welcome! Please:
1. Fork the repository
2. Create a feature branch
3. Commit your changes
4. Submit a pull request
## Support
For issues, questions, or feature requests, please open an issue on GitHub.
## License
This project is provided for educational and authorized security testing purposes. Use responsibly and ethically.