CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source

https://github.com/amalpvatayam67/day10-nextjs-middleware-lab

Associated Vulnerability

Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Description

Next.js middleware auth-bypass lab (CVE-2025-29927 simulation)

Readme

# Day 10 — Next.js middleware auth-bypass lab (CVE-2025-29927 simulation)

**Important:** Educational lab only. Run locally in Docker.

Quickstart:

```bash
npm i
# build (from repo root with files above)
docker build -t day10-nextjs-lab .

# run
docker run --rm -d -p 8080:3000 --name day10 day10-nextjs-lab

```

Open http://localhost:8080

File Snapshot


 [4.0K]  /data/pocs/84c19a8f234314bf05c398ee76ba090fbbcd5f76
├── [ 396]  DISCLAIMER.md
├── [ 979]  Dockerfile
├── [ 385]  entrypoint.sh
├── [ 746]  exploit.sh
├── [ 993]  middleware.js
├── [ 140]  next.config.js
├── [ 294]  package.json
├── [4.0K]  pages
│   ├── [ 870]  admin.js
│   ├── [4.0K]  api
│   │   └── [ 495]  flag.js
│   ├── [ 185]  _app.js
│   ├── [1.0K]  index.js
│   └── [ 799]  login.js
├── [ 344]  README.md
└── [4.0K]  styles
    └── [ 939]  globals.css

3 directories, 14 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!