Share
## https://sploitus.com/exploit?id=DF1C85B0-AA39-5198-82B0-66EE68AAD344
# Next.js RSC RCE Scanner (CVE-2025-66478)

A command-line scanner for batch detection of Next.js application versions and determining if they are affected by CVE-2025-66478 vulnerability.

## Vulnerability Description

https://nextjs.org/blog/CVE-2025-66478

## Features

- Uses go-rod for automated browser access to target websites
- Supports Page Pool for efficient concurrent scanning
- Automatically detects Next.js version (by executing `window.next.version`)
- Intelligently determines if version is affected by the vulnerability
- Supports reading URL lists from file, command line, or stdin pipe
- Configurable concurrency and timeout settings

## Installation

### Prerequisites
- Go 1.19 or higher
- Chrome/Chromium browser (go-rod will download automatically)

### Build
```bash
go build -o nextjs-rce-scanner
```

## Usage

### Basic Usage

**Read URL list from file:**
```bash
./nextjs-rce-scanner -file urls.txt
```

**Specify URLs directly:**
```bash
./nextjs-rce-scanner -urls "https://example.com,https://test.com"
```

**Read URLs from stdin (pipe):**
```bash
cat urls.txt | ./nextjs-rce-scanner
echo "https://example.com" | ./nextjs-rce-scanner
```

### Command Line Arguments

| Argument | Description | Default |
|----------|-------------|---------|
| `-file` | Path to URL list file (one URL per line) | - |
| `-urls` | Comma-separated URL list | - |
| `-c` | Concurrency level | 5 |
| `-headless` | Whether to use headless mode | true |
| `-timeout` | Page load timeout in seconds | 30 |

### Examples

**High concurrency scan (10 concurrent):**
```bash
./nextjs-rce-scanner -file urls.txt -c 10
```

**GUI mode (for debugging):**
```bash
./nextjs-rce-scanner -urls "https://example.com" -headless=false
```

**Custom timeout:**
```bash
./nextjs-rce-scanner -file urls.txt -timeout 60
```

**Pipe with filtering:**
```bash
# Filter and scan specific URLs
cat urls.txt | grep ".com" | ./nextjs-rce-scanner

# Combine with other Unix tools
cat urls.txt | head -10 | ./nextjs-rce-scanner -c 3
```

## URL File Format

Create a text file (e.g., `urls.txt`) with one URL per line:

```
https://example.com
https://test.com
https://app.example.org
# This is a comment, will be ignored
https://another-site.com
```

## Output Example

```
[*] Starting scan of 4 targets, concurrency: 5
-----------------------------------------------------------------------------------------------
URL                                           Status       Next.js Version    Vulnerability
-----------------------------------------------------------------------------------------------
https://nextjs.org                            200          16.0.2-canary.34   Vulnerable โš ๏ธ
https://vercel.com                            200          16.0.2-canary.34   Vulnerable โš ๏ธ
https://google.com                            200          Unknown            -
https://example-app.com                       200          14.2.5             Not Vulnerable
```

**Output Description:**
- **Status**: HTTP response status code (200=success, 404=not found, -=not obtained)
- **Next.js Version**: Detected version number, shows "Unknown" if not detected
- **Vulnerability**:
  - `Vulnerable โš ๏ธ` - Site is affected by CVE-2025-66478
  - `Not Vulnerable` - Site is not affected by this vulnerability
  - `-` - Next.js not detected or unable to determine

## How It Works

1. Uses go-rod to launch Chrome browser
2. Creates Page Pool to manage concurrency
3. Visits target URL and waits for page load
4. Executes JavaScript `window.next.version` to get version information
5. Parses version number and determines based on vulnerability scope
6. Outputs scan results

## Notes

- Scanner needs to access target websites, ensure you have proper authorization
- On first run, go-rod will automatically download Chromium (approximately 150MB)
- Adjust concurrency and timeout based on network conditions and target response speed
- Some websites may have anti-scraping mechanisms that could cause detection failures

## License

MIT License

## Disclaimer

This tool is for security research and authorized testing only. Using this tool to scan unauthorized targets may violate relevant laws and regulations. Users are responsible for any consequences.