# CVE-2025-29927: Next.js Middleware Bypass PoC
This repository contains a proof of concept (PoC) for CVE-2025-29927, a vulnerability in Next.js middleware that allows bypassing authentication and authorization checks through header manipulation.
## Vulnerability Details
**Affected Versions**: >= 11.1.4, <= 1 3.5.6, > 14.0.0, < 14.2.25, > 15.0.0, < 15.2.3
**CVE ID**: CVE-2025-29927
**Severity**: High (CVSS: 9.1)
The vulnerability exists in the middleware chain execution in Next.js, where an attacker can manipulate the `x-middleware-subrequest` header to bypass middleware security controls. By crafting a specific header value, the middleware can be tricked into treating the request as if it has already been processed, effectively bypassing authentication checks.
**This tool is tested on**: Next.js 15.0.0 through 15.2.2, other versions may require modifications.
## Tool Features
- Next.js version fingerprinting to identify vulnerable applications
- Configurable exploit parameters
- HTML response capture and analysis
- Success detection heuristics
- Interactive mode with user confirmation
## Requirements
Install dependencies with:
```bash
pip install -r requirements.txt
```
## Usage
### Basic usage:
```bash
python poc-cve-2025-29927.py http://example.com/protected-route
```
### Command Line Options
<pre>
usage: poc-cve-2025-29927.py [-h] [-r REPEAT] [-o OUTPUT] [--no-browser] [-f] url
PoC for CVE-2025-29927 - Next.js Middleware Bypass
positional arguments:
url Target URL to test (e.g., http://localhost:3000/admin/dashboard)
options:
-h, --help show this help message and exit
-r REPEAT, --repeat REPEAT
Number of middleware repeats in header (default: 5)
-o OUTPUT, --output OUTPUT
Output file name (default: response.html)
--no-browser Do not open result in browser
-f, --force Skip version check and force exploit attempt
</pre>
## Example
### Test with default settings
```
python poc-cve-2025-29927.py http://localhost:3000/admin/dashboard
```
### Force exploit without version checking
```
python poc-cve-2025-29927.py http://target-site.com/admin/dashboard -f
```
### Customize exploit parameters
```
python poc-cve-2025-29927.py http://vulnerable-app.com/protected-page -r 10 -o result.html --no-browser
```
## How It Works
The script first attempts to fingerprint the Next.js version of the target application using various detection methods
If a vulnerable version is detected (15.0.0-15.2.2), it proceeds with the exploit
A request is sent with a specially crafted x-middleware-subrequest header
The response is saved to a file and analyzed for success indicators
If successful, the protected content will be accessible without authentication
## Mitigation
If you're running a vulnerable version of Next.js, upgrade to version 15.2.3 or later to patch this vulnerability.
## Educational Purpose
This tool is provided for educational and security research purposes only. Use it only against applications you own or have explicit permission to test. Unauthorized testing may violate applicable laws.
## References
- Next.js Security Advisory
- CVE-2025-29927 Advisory
- Next.js GitHub Repository
## License
This project is licensed under the MIT License - see the LICENSE file for details.
Heimd411<br />
Security Researcher<br />
[GitHub Profile](https://github.com/Heimd411) <br />
[This Repository](https://github.com/Heimd411/CVE-2025-29927-PoC) <br />
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view