CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source

Associated Vulnerability

Readme

# Next.js CVE-2025-29927

This repository contains a proof of concept for CVE-2025-29927 vulnerability in Next.js, where the internal header ```x-middleware-subrequest``` can be exploited to bypass middleware checks such as authentication.



# Affected Versions
- Next.js 15.x < 15.2.3
- Next.js 14.x < 14.2.25
- Next.js 13.x < 13.5.9

## Installation
> 🧪 This project was tested with **Next.js v13.4.19**.
1. Clone the repository:
```bash
git clone https://github.com/goncalocsousa1/CVE-2025-29927.git
cd CVE-2025-29927
```

2. Install dependencies:
```bash
npm install
```

## Running the Application

1. Start the development server:
```bash
npm run dev
```

2. Access the application in your browser:
```
http://localhost:3000
```
## How the website works

The application demonstrates a simple authentication system with a protected route that can be bypassed using the CVE-2025-29927 vulnerability. Here's how it works:

1. **Home Page (`/`)**
   - Displays a welcome message and a login button
   - When clicked, the login button sets a fake authentication cookie (`auth-token`)
   - After "logging in", users are redirected to the protected page

2. **Protected Page (`/protected`)**
   - Contains sensitive information that should only be accessible to authenticated users
   - Protected by middleware that checks for the presence of the `auth-token` cookie
   - Normally, unauthenticated users would be redirected to the home page

3. **Middleware Protection**
   - The middleware checks if the user has an `auth-token` cookie
   - If not authenticated and trying to access `/protected/*` routes, redirects to home page
   - This protection can be bypassed using the vulnerability

4. **Vulnerability Demonstration**
   - The application showcases how the `x-middleware-subrequest` header can be exploited
   - This allows attackers to bypass the middleware authentication check
   - Even without a valid `auth-token` cookie, attackers can access protected routes

## How to Exploit


This application includes a protected route at ```/protected``` that normally requires authentication. However, by using the header ```x-middleware-subrequest: middleware``` in a request like ```curl -H "x-middleware-subrequest: middleware" http://localhost:3000/protected```, you can bypass the authentication check.

You can also reproduce this behavior using [Burp Suite](https://portswigger.net/burp/communitydownload) by intercepting the request and manually adding the header.

To try this with Burp Suite, open the ```Proxy``` tab and go to the ```Intercept``` sub-tab. Make sure ```Intercept is On```, then click on **Open Browser** and navigate to the protected route: ```http://localhost:3000/protected```

![431362649-7957bf6a-06f4-4f71-935a-dc39e5400fe9](https://github.com/user-attachments/assets/6c8c0810-6030-430d-a543-93fb4357c645)

Burp Suite will capture the request to the protected route. From there, add the following header: `x-middleware-subrequest: middleware` (*highlighted in the screenshot above*). Finally, forward the request and access the protected route.


![image](https://github.com/user-attachments/assets/d6113a71-1a39-4305-8e37-d6a44e4077a7)


# Solution
Update to one of the following patched versions:
- Next.js 15.2.3 or higher
- Next.js 14.2.25 or higher
- Next.js 13.5.9 or higher

# Sources
- https://vercel.com/blog/postmortem-on-next-js-middleware-bypass
- https://nvd.nist.gov/vuln/detail/CVE-2025-29927

File Snapshot

 [4.0K]  /data/pocs/017d0dd5f73669dd87e4b1060fd6393edcd05908
├── [4.0K]  app
│   ├── [  59]  globals.css
│   ├── [ 341]  layout.tsx
│   ├── [ 943]  page.tsx
│   └── [4.0K]  protected
│       └── [1013]  page.tsx
├── [ 438]  middleware.ts
├── [ 134]  next.config.js
├── [ 201]  next-env.d.ts
├── [ 540]  package.json
├── [ 71K]  package-lock.json
├── [  82]  postcss.config.js
├── [3.4K]  README.md
├── [ 253]  tailwind.config.js
└── [ 595]  tsconfig.json

2 directories, 13 files

Remarks