A toolkit designed for studying how misconfigurations or insecure patterns in Next.js applications can lead to severe vulnerabilities such as Remote Code Execution (RCE).
This repository is provided solely for educational, research, and defensive security purposes.
- Do NOT use any security-related techniques from this project on systems you do not own or do not have explicit, written permission to test.
- The authors do not support or condone malicious use.
- All examples are designed for local, isolated test environments only.
Misuse may violate local, national, or international laws.
- Node.js (LTS)
- pnpm / npm / yarn
- A safe local testing environment (Docker recommended)
git clone https://github.com/yourname/NextJS-RCE-exploit-kit.git
cd NextJS-RCE-exploit-kitnpm install
npm run dev This launches local-only demo cases showing insecure patterns and how they should be fixed.
-
Disable or strictly control eval(), Function(), or dynamic imports.
-
Sanitize all user-controlled input used in server-side routes.
-
Avoid exposing sensitive data through getServerSideProps.
-
Use code linting and security scanning tools.
-
Keep Next.js and dependencies updated.
-
More details are in the /mitigations/ directory.
Distributed under the MIT License for educational purposes. By using this project, you agree to follow all applicable laws and ethical guidelines.
Contributions that improve defense, detection, or secure coding are welcome.