Share
## https://sploitus.com/exploit?id=D9ECB78A-1733-50C2-99FC-F297F9875D40
# monorepo-nextjs-npm-nested-versions - VULNERABLE (CVE-2025-66478)

This monorepo demonstrates how scanners using --depth=0 miss nested vulnerable versions in workspace subdirectories.

## Project Type
npm workspaces monorepo with nested versions - root has safe version, workspace has different version

## Test Case #4: Multiple Installed Versions

### The Problem
Security scanners often use `npm ls --depth=0` or similar commands to check dependencies.
This only shows top-level packages in `node_modules/`, missing nested versions in workspace subdirectories.

### Structure
```
node_modules/
โ”œโ”€โ”€ next@15.5.7/           โ† Top-level (found by scanner)
โ”œโ”€โ”€ react@19.0.0/
โ”œโ”€โ”€ react-dom@19.0.0/
โ””โ”€โ”€ workspace-a/
    โ””โ”€โ”€ node_modules/
        โ”œโ”€โ”€ next@15.1.0/   โ† Nested (MISSED by scanner)
        โ”œโ”€โ”€ react@19.0.0/
        โ””โ”€โ”€ react-dom@19.0.0/
```

### Variant: CVE-2025-66478

#### Root Dependencies
```json
{
  "nextVersion": "15.5.7",
  "reactVersion": "19.0.0",
  "reactDomVersion": "19.0.0"
}
```

#### Workspace-A Dependencies (nested)
```json
{
  "nextVersion": "15.1.0",
  "reactVersion": "19.0.0",
  "reactDomVersion": "19.0.0"
}
```

### Vulnerable Variant
- **Root**: Has safe Next.js 15.5.7 (hoisted to top-level)
- **Workspace-A**: Has vulnerable Next.js 15.1.0 (nested in workspace-a/node_modules/)
- Scanners using `--depth=0` only see the root version and report false negative!

## Testing

To check for vulnerabilities:
```bash
npm test
```

To apply fixes:
```bash
npm run fix
```

## Setup

```bash
npm install
npm run dev
```

Then open [http://localhost:3000](http://localhost:3000) with your browser.

## Workspace Commands

- `npm run dev --workspace=workspace-a` - Run dev server
- `npm run build --workspace=workspace-a` - Build production bundle
- `npm ls --all` - Show all dependencies (including nested)
- `npm ls --depth=0` - Show only top-level (what scanners typically use)

## Why This Test Case Matters

This scenario is particularly dangerous because:

1. **False Sense of Security**: Scanners report no vulnerabilities
2. **Production Impact**: The vulnerable code actually runs in the application
3. **Common in Monorepos**: Many teams use npm workspaces with different version requirements
4. **Easy to Miss**: Developers don't typically inspect nested node_modules directories

The fix-react2shell-next tool must scan ALL installed versions, not just top-level packages.