82 lines
3.5 KiB
Bash
82 lines
3.5 KiB
Bash
#!/bin/bash
|
|
|
|
# 1. PRE-FLIGHT CHECK
|
|
if ! docker ps >/dev/null 2>&1; then
|
|
echo -e "\033[31m[ERROR]\033[0m Cannot connect to Docker daemon. Use 'sudo'."
|
|
exit 1
|
|
fi
|
|
|
|
# Counters
|
|
TOTAL_SCANNED=0
|
|
NODE_CONTAINERS=0
|
|
VULN_RCE=0 # React2Shell (RCE)
|
|
VULN_AUTH=0 # Middleware Bypass
|
|
|
|
echo "=============================================================================="
|
|
echo " Next.js & React Vulnerability Scanner (CVE-2025-55182 / 66478 / 29927) "
|
|
echo "=============================================================================="
|
|
echo "TARGET: RCE (Next.js 15+, React 19+) & Auth Bypass (Next.js <14.2.25)"
|
|
echo "------------------------------------------------------------------------------"
|
|
|
|
while IFS='|' read -r id name; do
|
|
((TOTAL_SCANNED++))
|
|
|
|
# 2. HEURISTIC: Is this a Node environment?
|
|
is_node=$(docker exec "$id" sh -c "test -f /app/package.json || test -f /usr/src/app/package.json || command -v node" 2>/dev/null && echo "yes" || echo "no")
|
|
|
|
if [ "$is_node" == "yes" ]; then
|
|
((NODE_CONTAINERS++))
|
|
|
|
# 3. VERSION EXTRACTION
|
|
# We try to grep versions from package.json output (more reliable than npm list in some containers)
|
|
# We read the file once to a variable to save docker exec calls
|
|
pkg_content=$(docker exec "$id" cat /app/package.json /usr/src/app/package.json 2>/dev/null)
|
|
|
|
# Extract versions using grep (matches "next": "^14.2.21" -> 14.2.21)
|
|
next_ver=$(echo "$pkg_content" | grep -Po '"next":\s*"\^?\K[0-9.]+' | head -n1)
|
|
react_ver=$(echo "$pkg_content" | grep -Po '"react":\s*"\^?\K[0-9.]+' | head -n1)
|
|
|
|
# 4. VULNERABILITY LOGIC
|
|
status=""
|
|
|
|
# CHECK 1: RCE (React2Shell) - Next.js 15+ OR React 19+
|
|
if [[ "$next_ver" =~ ^15\. ]] || [[ "$next_ver" =~ ^16\. ]] || [[ "$react_ver" =~ ^19\. ]]; then
|
|
status="\033[31m[CRITICAL RCE]\033[0m"
|
|
((VULN_RCE++))
|
|
|
|
# CHECK 2: Middleware Auth Bypass - Next.js 14.x < 14.2.25
|
|
# Logic: Starts with 14., and subversion comparison (simplified for bash)
|
|
elif [[ "$next_ver" =~ ^14\. ]]; then
|
|
# Extract minor and patch: 14.2.21 -> minor=2, patch=21
|
|
minor=$(echo "$next_ver" | cut -d. -f2)
|
|
patch=$(echo "$next_ver" | cut -d. -f3)
|
|
|
|
# Vulnerable if 14.0.x - 14.1.x OR (14.2.x AND patch < 25)
|
|
if [ "$minor" -lt 2 ] || { [ "$minor" -eq 2 ] && [ "$patch" -lt 25 ]; }; then
|
|
status="\033[33m[HIGH AUTH BYPASS]\033[0m"
|
|
((VULN_AUTH++))
|
|
else
|
|
status="\033[32m[SAFE]\033[0m"
|
|
fi
|
|
|
|
elif [[ ! -z "$next_ver" ]]; then
|
|
status="\033[32m[SAFE]\033[0m" # Older versions (13, 12) usually safe from these specific CVEs
|
|
fi
|
|
|
|
# 5. OUTPUT
|
|
if [[ ! -z "$next_ver" ]]; then
|
|
echo -e "$status $name"
|
|
echo -e " Next.js: $next_ver | React: ${react_ver:-Unknown}"
|
|
fi
|
|
fi
|
|
done < <(docker ps --format '{{.ID}}|{{.Names}}')
|
|
|
|
echo "=============================================================================="
|
|
echo "SCAN SUMMARY"
|
|
echo "------------------------------------------------------------------------------"
|
|
echo "Containers Scanned: $TOTAL_SCANNED"
|
|
echo "Node Environments: $NODE_CONTAINERS"
|
|
echo "RCE Vulnerable: $VULN_RCE (React2Shell)"
|
|
echo "Auth Vulnerable: $VULN_AUTH (Middleware Bypass)"
|
|
echo "=============================================================================="
|