This repository provides a demonstration of the CVE-2025-55182 vulnerability, which allows for remote code execution (RCE) in vulnerable Next.js applications.
References:
- CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55182
- Related PoC: https://github.com/msanft/CVE-2025-55182
Warning
This demonstration is provided for security research, testing, and educational purposes only. Do not use it against systems for which you do not have explicit authorization.
Prerequisites
- Docker and Docker Compose installed and running.
- Python 3.8+ with
venvsupport.
Note
Run the commands from the root folder unless otherwise noted.
From the project root, run:
docker compose -f nextjs-target/compose.yml up --build -dBy default the application is served at http://localhost:3000.
-
Create and activate a Python virtual environment:
python3 -m venv .venv source .venv/bin/activate # macOS / Linux # .venv\Scripts\activate # Windows (PowerShell/CMD)
-
Install dependencies:
pip install -r requirements.txt
-
Run the PoC (replace
HOST/PORT/ENDPOINTas appropriate):python exploit.py --host 127.0.0.1 --port 3000 --endpoint /
Warning
The script demonstrates command execution against a vulnerable target. Use it only on systems where you have explicit permission to test.
Common commands to run on a permitted test target (examples only):
ls -la
envStop and remove containers:
docker compose -f nextjs-target/compose.yml down