Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/EQSTLab/CVE-2025-29927
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
Next.js middleware bypass exploit
Readme
# CVE-2025-29927
★ CVE-2025-29927 Next.js middleware bypass PoC ★



## Description
CVE-2025-29927 : Next.js middleware bypass PoC
description: Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

## Lab setup
```
cd next15
docker build --tag nextjs .
docker run -p 3000:3000 -it --rm nextjs
```
![image](https://github.com/user-attachments/assets/32398f35-ec80-4551-9ada-bd5238d6b5c1)


## How to use

### Git clone
```
git clone https://github.com/EQSTLab/CVE-2025-29927.git
cd CVE-2025-29927
```
### Command
```sh
chmod +x poc.sh
./poc.sh
```
### Output
![image](https://github.com/user-attachments/assets/c922ac5b-a1da-464a-ba6c-8fc5c52f8f61)
![image](https://github.com/user-attachments/assets/06198ea3-9f9c-48fb-af9e-bfe2aeea92c3)
File Snapshot

 [4.0K]  /data/pocs/af100a2ee9c98a9853b2d856a96b41205b9da62d
├── [4.0K]  next15
│   ├── [ 101]  Dockerfile
│   ├── [ 508]  middleware.ts
│   ├── [ 158]  next.config.ts
│   ├── [ 213]  next-env.d.ts
│   ├── [ 467]  package.json
│   ├── [ 79K]  package-lock.json
│   ├── [4.0K]  pages
│   │   ├── [3.6K]  admin.tsx
│   │   ├── [ 181]  _app.tsx
│   │   ├── [ 257]  _document.tsx
│   │   └── [1.5K]  index.tsx
│   ├── [ 135]  postcss.config.mjs
│   ├── [4.0K]  public
│   │   ├── [398K]  cafebene.png
│   │   ├── [412K]  drunkmess.png
│   │   ├── [ 11K]  eqst.png
│   │   ├── [ 25K]  favicon.ico
│   │   ├── [419K]  gigachad.png
│   │   ├── [418K]  musac.png
│   │   ├── [1.3K]  next.svg
│   │   ├── [406K]  sleepy.png
│   │   ├── [266K]  sorrow.png
│   │   ├── [ 128]  vercel.svg
│   │   └── [318K]  WageSlave.png
│   ├── [1.9K]  README.md
│   ├── [4.0K]  styles
│   │   └── [ 345]  globals.css
│   ├── [ 381]  tailwind.config.ts
│   └── [ 512]  tsconfig.json
├── [ 171]  poc.sh
└── [1.2K]  README.md

4 directories, 28 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →