## https://sploitus.com/exploit?id=D9ECB78A-1733-50C2-99FC-F297F9875D40
# monorepo-nextjs-npm-nested-versions - VULNERABLE (CVE-2025-66478)
This monorepo demonstrates how scanners using --depth=0 miss nested vulnerable versions in workspace subdirectories.
## Project Type
npm workspaces monorepo with nested versions - root has safe version, workspace has different version
## Test Case #4: Multiple Installed Versions
### The Problem
Security scanners often use `npm ls --depth=0` or similar commands to check dependencies.
This only shows top-level packages in `node_modules/`, missing nested versions in workspace subdirectories.
### Structure
```
node_modules/
โโโ next@15.5.7/ โ Top-level (found by scanner)
โโโ react@19.0.0/
โโโ react-dom@19.0.0/
โโโ workspace-a/
โโโ node_modules/
โโโ next@15.1.0/ โ Nested (MISSED by scanner)
โโโ react@19.0.0/
โโโ react-dom@19.0.0/
```
### Variant: CVE-2025-66478
#### Root Dependencies
```json
{
"nextVersion": "15.5.7",
"reactVersion": "19.0.0",
"reactDomVersion": "19.0.0"
}
```
#### Workspace-A Dependencies (nested)
```json
{
"nextVersion": "15.1.0",
"reactVersion": "19.0.0",
"reactDomVersion": "19.0.0"
}
```
### Vulnerable Variant
- **Root**: Has safe Next.js 15.5.7 (hoisted to top-level)
- **Workspace-A**: Has vulnerable Next.js 15.1.0 (nested in workspace-a/node_modules/)
- Scanners using `--depth=0` only see the root version and report false negative!
## Testing
To check for vulnerabilities:
```bash
npm test
```
To apply fixes:
```bash
npm run fix
```
## Setup
```bash
npm install
npm run dev
```
Then open [http://localhost:3000](http://localhost:3000) with your browser.
## Workspace Commands
- `npm run dev --workspace=workspace-a` - Run dev server
- `npm run build --workspace=workspace-a` - Build production bundle
- `npm ls --all` - Show all dependencies (including nested)
- `npm ls --depth=0` - Show only top-level (what scanners typically use)
## Why This Test Case Matters
This scenario is particularly dangerous because:
1. **False Sense of Security**: Scanners report no vulnerabilities
2. **Production Impact**: The vulnerable code actually runs in the application
3. **Common in Monorepos**: Many teams use npm workspaces with different version requirements
4. **Easy to Miss**: Developers don't typically inspect nested node_modules directories
The fix-react2shell-next tool must scan ALL installed versions, not just top-level packages.