This repository contains a Proof of Concept (PoC) for reproducing and researching the Next.js CVE-2025-66478 vulnerability. It consists of a vulnerable Next.js application and a Python exploit script to test the vulnerability.
This is a Remote Code Execution (RCE) vulnerability occurring in the processing of Next.js Server Actions.
Key Highlights:
- Root Cause: Insecure Deserialization within the RSC (React Server Components) Flight protocol.
- Attack Vector: Prototype Pollution via the
__proto__property.
| Item | Description |
|---|---|
| CVE ID | CVE-2025-66478 |
| Type | Remote Code Execution (RCE) |
| Root Cause | Insecure Deserialization in RSC Flight Protocol |
| Severity (CVSS) | 10.0 (Critical) |
| Impact | Arbitrary system command execution on the server |
- Payload Transmission: The attacker crafts a payload using the React Flight serialization format, injecting properties like
__proto__. - Insecure Deserialization & Pollution: The server deserializes the payload without proper validation, leading to pollution of
Object.prototype. - Thenable Gadget: The pollution injects a
thenproperty into all objects. Next.js logic misidentifies these objects as Promises (Thenables). - RCE Execution: When the server attempts to
awaitthis "fake Promise", the malicious JavaScript code injected into thethenmethod is executed (e.g.,child_process.execSync).
sequenceDiagram
participant Attacker
participant Server as Next.js Server
Attacker->>Server: POST / (JSON with "__proto__": {"then": ...})
Note right of Server: JSON Parsing Pollutes Object.prototype
Server->>Server: Application Logic encounters an Object
rect rgb(200, 150, 150)
Note right of Server: "Thenable" Check Gadget
Server->>Server: Checks: typeof obj.then === 'function'?
Server-->>Server: YES (due to pollution)
end
Server->>Server: Await/Execute malicious .then()
Note right of Server: Malicious JS Code Runs (RCE)
Server-->>Attacker: Response (Action Redirect / Error info)
Consequently, as the server processes this manipulated Promise, it executes JavaScript code injected by the attacker, which can lead to system command execution. The included main.py is example code that reproduces this attack scenario.
This vulnerability affects Next.js applications using the App Router.
- Affected:
- Next.js 15.x
- Next.js 16.x
- Next.js 14.3.0-canary.77 and later (Canary releases)
- Not Affected:
- Next.js 13.x
- Next.js 14.x Stable releases
- Pages Router only applications
- Edge Runtime
Fixed Versions:
- 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
- 16.0.7
- 15.6.0-canary.58 (for PPR users)
next.js/: Vulnerable Next.js web application example code.exploit/: Exploit execution script written in Python (main.py).
- Node.js: v18 or higher recommended.
- Python: v3.8 or higher recommended.
First, you need to run the target Next.js server.
-
Navigate to the
next.jsdirectory:cd next.js -
Install dependencies:
npm install # You can also use yarn or pnpm. -
Start the development server:
npm run dev
Verify that you can access
http://localhost:3000via your browser.
Now you can test the vulnerability using the Python script.
-
Navigate to the
exploitdirectory from the project root:cd exploit -
(Optional) Using a Virtual Environment is recommended:
python3 -m venv venv source venv/bin/activate # For Windows: venv\Scripts\activate
-
Install necessary libraries: The
requestsmodule is required.pip install requests
-
Run the script:
python main.py
By default, it targets the local address (
http://localhost:3000). To test a different address, use the--urloption:python main.py --url http://target-ip:3000
This code is provided for security research and educational purposes only. Using this tool against systems or networks without prior permission is illegal, and the user is solely responsible for any issues that arise from such use.