Simulates CVE-2025-29927, a critical Next.js vulnerability allowing attackers to bypass middleware authorization by exploiting the internal x-middleware-subrequest HTTP header. Demonstrates unauthorized access to protected routes and provides mitigation strategies.<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>
<h1>CVE-2025-29927: Next.js Middleware Authorization Bypass Simulation</h1>
<p>
This repository demonstrates the exploitation of <strong>CVE-2025-29927</strong>, a critical vulnerability in Next.js that allows attackers to bypass middleware-based authorization checks. The flaw stems from improper handling of the internal <code>x-middleware-subrequest</code> HTTP header, enabling unauthorized access to protected routes.
</p>
<h2>⚠️ Disclaimer</h2>
<p>
This project is intended for educational and research purposes only. Unauthorized use against systems without explicit permission is illegal and unethical. The authors are not responsible for any misuse of this code.
</p>
<h2>📚 Background</h2>
<p>
<strong>CVE-2025-29927</strong> affects Next.js versions prior to:
</p>
<ul>
<li>12.3.5</li>
<li>13.5.9</li>
<li>14.2.25</li>
<li>15.2.3</li>
</ul>
<p>
The vulnerability arises when an attacker includes the <code>x-middleware-subrequest</code> header in an HTTP request. Next.js interprets this header as an internal subrequest, causing it to skip middleware execution, including critical authorization checks.
</p>
<h2>🧪 Simulation Setup</h2>
<h3>Prerequisites</h3>
<ul>
<li>Node.js (v14 or later)</li>
<li>npm</li>
</ul>
<h3>Installation</h3>
<ol>
<li>Clone the repository:
<pre><code>git clone https://github.com/Knotsecurity/CVE-2025-29927-NextJs-Middleware-Simulation.git
cd cve-2025-29927-simulation</code></pre>
</li>
<li>Install dependencies:
<pre><code>npm install</code></pre>
</li>
<li>Start the development server:
<pre><code>npm run dev
</code></pre>
</li>
</ol>
<h2>🔍 Vulnerability Demonstration</h2>
<h3>Protected Route</h3>
<p>
The application includes a protected route at <code>/admin</code>, which is guarded by middleware that checks for user authentication.
</p>
<h3>Exploitation Steps</h3>
<ol>
<li>Access the <code>/login</code> page and log in with <code>user@example.com:password123</code>.</li>
<li>Try to access the <code>/admin</code> page. You will get an unauthorized access error.</li>
<li>Capture this request in Burp Suite and add the header <code>x-middleware-subrequest: middleware</code>, then send the request.</li>
<li>You will observe that you now have access to the <code>/admin</code> page.</li>
</ol>
<h2>🛡️ Mitigation</h2>
<p>To protect against this vulnerability:</p>
<ol>
<li><strong>Upgrade Next.js</strong> to a patched version:
<pre><code>npm install next@latest</code></pre>
</li>
<li><strong>Filter Requests:</strong> Configure your server or proxy to reject requests containing the <code>x-middleware-subrequest</code> header.</li>
<li><strong>Redundant Checks:</strong> Implement authorization checks within your route handlers, not solely in middleware.</li>
</ol>
<h2>📄 References</h2>
<ul>
<li><a href="https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw">Next.js Security Advisory</a></li>
<li><a href="https://www.akamai.com/blog/security-research/march-authorization-bypass-critical-nextjs-detections-mitigations">Akamai Blog on CVE-2025-29927</a></li>
<li><a href="https://securitylabs.datadoghq.com/articles/nextjs-middleware-auth-bypass/">Datadog Analysis</a></li>
</ul>
<h2>🧑💻 Author</h2>
<p>
<a href="https://github.com/sh311InP4r4diz3">Saikiran B</a>
</p>
</body>
</html>
[4.0K] /data/pocs/9abb8f2c8e85f4ac4fe7084444c10159668a398f
├── [ 717] middleware.js
├── [ 137] next.config.js
├── [ 438] package.json
├── [4.0K] pages
│ ├── [3.3K] admin.js
│ ├── [4.0K] api
│ │ └── [4.0K] auth
│ │ └── [1.7K] [...nextauth].js
│ ├── [ 251] _app.js
│ ├── [1.8K] index.js
│ ├── [2.4K] login.js
│ └── [2.1K] unauthorized.js
└── [3.6K] README.md
3 directories, 10 files