Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/6mile/nextjs-CVE-2025-29927
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
A Nuclei template to detect CVE-2025-29927 the Next.js authentication bypass vulnerability
Readme
# nextjs-CVE-2025-29927
A Nuclei template to detect CVE-2025-29927 the Next.js authentication bypass vulnerability. If you want to understand exactly how this vulnerability works, you can read the original researchers excellent article [here](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware)

This template is pretty straight forward.  It does two things: First, it identifies that a website is using Next.js and then it tests to see if the target is utilizing middleware.  This template will identify when those two things both exist via HTTP headers.  However, its important to note that a positive match for both does NOT mean that the application is definitely vulnerable.  This template does not pass ```x-middleware-subrequest: true``` to test if the application is attackable.

## Install Nuclei
If you haven't used Nuclei before you can follow the instructions here: https://github.com/projectdiscovery/nuclei

## Using the nextjs-CVE-2025-29927 Nuclei template

```sh
nuclei -u https://example.com -t ./CVE-2025-29927-6mile.yaml -fr
```

![nextjs-CVE-2025-29927-pic](nextjs-CVE-2025-29927-pic.png)
![nextjs-CVE-2025-29927-pic2](nextjs-CVE-2025-29927-pic2.png)
File Snapshot

 [4.0K]  /data/pocs/886f20a8455e3ce2ddf90eb50db7f24dabd93156
├── [1.5K]  CVE-2025-29927-6mile.yaml
├── [264K]  nextjs-CVE-2025-29927-pic2.png
├── [405K]  nextjs-CVE-2025-29927-pic.png
└── [1.2K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →