Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/zs1n/CVE-2025-29927
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
PoC | NextJS Middleware 15.2.2 - Authorization Bypass
Readme
# CVE-2025-29927 - Next.js Middleware 15.2.2 - Authorization Bypass 

⚠️ Critical Authentication Bypass in NextJS Middleware  
🛠️ PoC implementation by @zs1n

---

## 💡 Overview

NextJS is a popular React-based web framework, has an authentication vulnerability that affects versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3,this consist in the improper trust on `x-middleware-subrequest` header.When to spoofing this header, attackers can be bypass the middleware logic, This results in authentication and authorization mechanisms that are not normally permitted, gaining access to routes that are not permitted. 

---

## 🛠 Technical Breakdown

NextJS uses middleware to enforce the security policies such as authentication and authorization before routing requests. Because this header is blindly trusted by the framework, an attacker can Spoofing this header, which causes an improper handling of the `middleware` header, that causes effectively bypassing authentication. This lets any network user can be see o gain access to routes that are not permitted.

---

## 🔥 Vulnerable Header

`x-middleware-subrequest` — NextJS vulnerable Header

---

## 💥 Exploitation

An attacker can send a request with a spoofer `x-middleware-subrequest` to impersonate an internal request.

---

## 🔬 Clone the repositori on your machine.

```bash
git clone https://github.com/zs1n/CVE-2025-29927
```

### 🚀 Launching the Exploit

Run the exploit script CVE-2025-29927.py.

```bash
python3 CVE-2025-29927.py -u http://128.43.16.13/api/auth
```

## 📝 References

- [OffSec | CVE-2025-29927 Detail/Blog ](https://www.offsec.com/blog/cve-2025-29927/)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →