Professional security assessment utility for Next.js applications
This tool is intended for authorized security testing and research purposes only.
- β Use only on systems you own or have explicit permission to test
- β For bug bounty programs with proper scope
- β For security researchers and penetration testers
- β Never use against systems without authorization
- β Not for any malicious or illegal activities
By using this software, you agree to comply with all applicable laws and regulations.
This utility provides security professionals with a graphical interface for testing Next.js applications against CVE-2025-55182. It helps organizations identify potential security issues in their React Server Components (RSC) implementations.
CVE-2025-55182 is a security issue affecting certain versions of Next.js framework. This tool helps security teams:
- Identify affected Next.js installations
- Verify patch status
- Assess security posture
- Document findings for remediation
| Feature | Description |
|---|---|
| π― Targeted Testing | Precise vulnerability assessment |
| π‘οΈ Safety Checks | Built-in protections for sensitive domains |
| π Proxy Support | Route through SOCKS5/HTTP proxies |
| π Detailed Reports | Comprehensive assessment results |
| π₯οΈ GUI Interface | User-friendly Fyne-based interface |
The tool includes responsible disclosure features:
// Automatically blocks testing against:
// - Government domains (.gov)
// - Educational institutions (.edu)
// - Specific geographic regions- Protocol Support: HTTP/HTTPS with configurable SSL verification
- Proxy Options: HTTP, HTTPS, SOCKS5 proxy support
- Connection Handling: Configurable timeouts and connection pooling
- Encoding: Unicode payload encoding for WAF testing
- Go 1.24 or higher
- Fyne dependencies (for GUI)
- Internet connection
# Clone the repository
git clone https://github.com/tesweva/Nextjs-RCE-Exploit-Kit.git
cd Nextjs-RCE-Exploit-Kit
# Install dependencies
go mod download
# Build the application
go build -o nextjs-scanner .
# Run
./nextjs-scanner# Windows
GOOS=windows GOARCH=amd64 go build -o nextjs-scanner.exe .
# Linux
GOOS=linux GOARCH=amd64 go build -o nextjs-scanner-linux .
# macOS
GOOS=darwin GOARCH=amd64 go build -o nextjs-scanner-mac ../nextjs-scannerThe application provides an intuitive graphical interface:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Next.js Security Assessment Tool β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Target URL: [https://example.com________________] β
β β
β β Enable Proxy Proxy: [127.0.0.1:8080________] β
β β Verify SSL Timeout: [30 seconds__________] β
β β WAF Bypass Mode β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Assessment Log: β β
β β [2025-01-15 10:30:15] Starting assessment... β β
β β [2025-01-15 10:30:16] Connecting to target... β β
β β [2025-01-15 10:30:17] Analyzing response... β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β [ Start Assessment ] [ Generate Report ] β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Option | Description | Default |
|---|---|---|
| Target URL | Next.js application URL | Required |
| Enable Proxy | Route through proxy | Disabled |
| Verify SSL | Validate certificates | Enabled |
| Timeout | Request timeout | 30 seconds |
| WAF Bypass | Unicode encoding mode | Disabled |
Nextjs-Security-Tool/
βββ main.go # Application entry point & GUI
βββ go.mod # Go module definition
βββ go.sum # Dependency checksums
βββ README.md # Documentation
type RequestHandler struct {
httpClient *http.Client
requestTimeout time.Duration
sslVerify bool
browserAgent string
}
type PayloadResponse struct {
Success bool `json:"success"`
Result string `json:"result"`
Error string `json:"error,omitempty"`
}| Package | Purpose |
|---|---|
fyne.io/fyne/v2 |
Cross-platform GUI framework |
net/http |
HTTP client functionality |
crypto/tls |
TLS/SSL support |
encoding/json |
JSON parsing |
// HTTP Proxy
handler.ConfigureProxy(true, "http://127.0.0.1:8080")
// SOCKS5 Proxy
handler.ConfigureProxy(true, "socks5://127.0.0.1:1080")The tool uses a realistic browser user agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
If you discover security issues using this tool:
- Do not publicly disclose until vendor is notified
- Report to the vendor with detailed information
- Allow reasonable time for patches (typically 90 days)
- Follow coordinated disclosure practices
- Next.js Security: security@vercel.com
- HackerOne Bug Bounty Programs
This tool is provided for educational and authorized security testing purposes only. Users are responsible for:
- Obtaining proper authorization before testing
- Complying with applicable laws and regulations
- Using the tool ethically and responsibly
- Any consequences resulting from misuse
The authors assume no liability for misuse of this software.
Contributions are welcome for:
- Bug fixes
- Documentation improvements
- Safety feature enhancements
- UI/UX improvements
Please submit issues and pull requests through GitHub.
This project is licensed under the MIT License. See LICENSE for details.
- CVE-2025-55182 Details
- Next.js Security Documentation
- React Server Components Security
- OWASP Testing Guide
Built for Security Professionals
π Test Responsibly π