Overview

The Next.js RSC RCE Scanner is a robust command-line tool designed for developers and security professionals to detect vulnerabilities in Next.js applications, specifically targeting the CVE-2025-66478 vulnerability. This scanner enables batch detection of Next.js versions, allowing users to efficiently evaluate if their applications are at risk without exploiting the vulnerability itself. With the growing importance of security in web applications, having a reliable tool to identify potential threats is essential for maintaining the integrity of software environments.

By leveraging this scanner, users can not only assess their application’s security status but also gain insights into the Next.js version being used, thereby facilitating timely updates and safeguarding against potential breaches. This tool is particularly valuable in the fast-paced development environment where vulnerabilities can emerge rapidly.

Features

• Batch Detection: Scan multiple Next.js applications simultaneously to identify their versions and vulnerability status, saving time and effort.
• Non-Exploitative: The scanner identifies vulnerabilities without exploiting them, ensuring safe security assessments.
• Automatic Browser Installation: Includes built-in support for downloading Chrome/Chromium, simplifying the setup process for users.
• Efficient Page Management: Utilizes a Page Pool system to manage concurrency, ensuring efficient handling of multiple scans.
• Version Parsing: Executes JavaScript to retrieve version information directly, providing accurate data on the application state.
• Detailed Outputs: Clearly presents scan results, equipping users with the necessary information to address vulnerabilities effectively.
• Setup Guide for Vulnerable Environments: Detailed instructions for creating a test environment, allowing security professionals to validate the scanner’s functionality.
• Security Research License: Distributed under the MIT License, emphasizing responsible use for security research and authorized testing only.