CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source

https://github.com/rgvillanueva28/vulnbox-easy-CVE-2025-29927

Associated Vulnerability

Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Readme

# Man-in-the-middle

This application is named Man-in-the middle because it contains a vulnerability in Next.JS middleware and the flag is in the API call.

---

## 🚀 Production Setup

### 1. `.env.production`

```env
DATABASE_URL=postgresql://postgres:password@db:5432/nextauth
JWT_SECRET=your-production-secret
```

### 2. Build and Start

```bash
docker compose up --build -d
```

---

## 🛠️ Development Setup

### 1. Clone the Repository

```bash
git clone <your-repo-url>
cd <your-project-folder>
```

### 2. Install Dependencies

```bash
npm install
```

### 3. Set Up PostgreSQL (Development)

Create a separate `docker-compose.dev.yml` for dev:

```yaml
version: "3.8"

services:
  db:
    image: postgres:16
    restart: always
    environment:
      POSTGRES_USER: devuser
      POSTGRES_PASSWORD: devpass
      POSTGRES_DB: devdb
    volumes:
      - devdata:/var/lib/postgresql/data
    ports:
      - "5433:5432"

volumes:
  devdata:
```

Then run it:

```bash
docker compose -f docker-compose.dev.yml up -d
```

### 4. Create `.env`

```env
DATABASE_URL=postgresql://devuser:devpass@localhost:5433/devdb
JWT_SECRET=dev-secret
```

### 5. Prisma Setup

```bash
npx prisma generate
npx prisma migrate dev --name init
npx tsx prisma/seed.ts
```

### 6. Start Dev Server

```bash
npm run dev
```

App: [http://localhost:3000](http://localhost:3000)

---

## 🧪 Testing

You can test login with the seeded admin user:

```
email: administrator@orion.xyz
password: adminSup3rS3cur3P@ssw0rd
```

File Snapshot


 [4.0K]  /data/pocs/1464a52bb9068551256a185c08a7feaa0cce6b7f
├── [4.0K]  components
│   ├── [2.3K]  AuthForm.tsx
│   └── [1.3K]  Navbar.tsx
├── [ 288]  docker-compose.dev.yml
├── [ 618]  docker-compose.yml
├── [ 223]  docker-entrypoint.sh
├── [ 384]  Dockerfile
├── [4.0K]  hooks
│   └── [ 845]  useUser.ts
├── [4.0K]  lib
│   ├── [ 308]  prisma.ts
│   └── [ 509]  useAuth.ts
├── [1.5K]  middleware.ts
├── [ 149]  next.config.js
├── [ 213]  next-env.d.ts
├── [ 864]  package.json
├── [4.0K]  pages
│   ├── [4.0K]  api
│   │   └── [4.0K]  auth
│   │       ├── [ 610]  flag-is-here.ts
│   │       ├── [ 851]  login.ts
│   │       ├── [ 335]  logout.ts
│   │       ├── [ 445]  me.ts
│   │       └── [ 596]  register.ts
│   ├── [ 348]  _app.tsx
│   ├── [ 602]  dashboard.tsx
│   ├── [2.3K]  index.tsx
│   ├── [ 908]  login.tsx
│   ├── [ 930]  register.tsx
│   └── [ 881]  unauthorized.tsx
├── [ 48K]  pnpm-lock.yaml
├── [  93]  postcss.config.mjs
├── [4.0K]  prisma
│   ├── [4.0K]  migrations
│   │   ├── [4.0K]  20250730115250_init
│   │   │   └── [ 302]  migration.sql
│   │   └── [ 128]  migration_lock.toml
│   ├── [ 274]  schema.prisma
│   └── [ 693]  seed.ts
├── [1.5K]  README.md
├── [4.0K]  styles
│   └── [  23]  globals.css
└── [ 718]  tsconfig.json

10 directories, 33 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!