Next.js / React

Next.js / React exploit

ko-fi

Find All Paths

Dev Tools - Console:

console.log(__BUILD_MANIFEST.sortedPages)

javascript​:console.log(__BUILD_MANIFEST.sortedPages.join('\n'));

React2Shell / NextRCE

CVE-2025-55182:

LogoGitHub - assetnote/react2shell-scanner: High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478)GitHub
LogoGitHub - ynsmroztas/NextRce: React Shell & Next.js RSC Exploit Tool (CVE-2025-55182)GitHub

Safe probe for Flight parser error with Curl and without harmful execution.

Indicators of vulnerability:

  • Response Code = 500

  • Word "digest" appears in response body

Nuclei Template:

LogoReact Server Components - Remote Code ExecutionAI-Powered Template Generation and Scanning
LogoGitHub - BehiSecc/react2shell-nuclei-template: Nuclei template for detecting the React2Shell vulnerability.GitHub

RCE PoC:

Prototype Pollution

ppmap:

LogoGitHub - kleiton0x00/ppmap: A scanner/exploitation tool written in GO, which leverages client-side Prototype Pollution to XSS by exploiting known gadgets.GitHub

SSRF

LogoDigging for SSRF in NextJS appswww.assetnote.io

Header Injection

CVE-2025-49826 - CPDos

Version < 15.1.8

Detected with HExHTTP

LogoGitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

CVE-2025-29927: Next.js Middleware Bypass

All versions before 14.2.25 and 15.2.3

  • Next.js 15.x should upgrade to 15.2.3

  • Next.js 14.x should upgrade to 14.2.25

  • Next.js 13.x should upgrade to 13.5.9

  • Next.js 12.x should upgrade to 12.3.5

LogoCVE-2025-29927: Next.js Middleware Bypass Vulnerability Explainedwww.picussecurity.com
LogoNext.js and the corrupt middleware: the authorizing artifactzhero_web_security
LogoGitHub - AnonKryptiQuz/NextSploit: NextSploit is a command-line tool designed to detect and exploit CVE-2025-29927, a security flaw in Next.jsGitHub
LogoGitHub - c0dejump/CVE-2025-29927-check: script to check cve "CVE-2025-29927" while waiting to add it to HExHTTPGitHub

add the extra HTTP header x-middleware-subrequest: middleware

You can also try the header x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware if the previous payload doesn't work

LogoHow Hackers Exploit CVE-2025–29927 in Next.js Like a ProMedium

Cache Poisoning

LogoNext.js and cache poisoning: a quest for the black holezhero_web_security

DoS - Empty page

Add the x-middleware-prefetch header results in an empty JSON object {} as a response. If a CDN or caching system is present, this empty response can potentially be cached —depending on the cache rules configuration— rendering the targeted page impractical and its content inaccessible.

Display RSC Payload

Rsc: 1— was added to the cache-key via the Vary response header

DoS

Include x-invoke-status: 888 as a header

Cache poisoning via race-condition

LogoEclipse on Next.js: Conditioned exploitation of an intended race-conditionzhero_web_security

Cache Poisoning to XSS - CVE-2024-46982

To be potentially affected all of the following must apply:

  • Next.js between 13.5.1 and 14.2.9

  • Using pages router

  • Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

LogoNext.js, cache, and chains: the stale elixirzhero_web_security

CVE-2024-34351

SSRF - Fixed in v14.1.1.

SSRF

CVE-2024-51479

https://github.com/wy876/POC/blob/main/Next/Next.js%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87(CVE-2024-51479).mdgithub.com

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fi

buymeacoffee

PreviousNavidromeNextNode.js

Last updated