Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/pouriam23/Next.js-Middleware-Bypass-CVE-2025-29927-
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Readme
# overview 
after reading write up of @zhero___ in his personal blogpost i decide to build this CTF to learn how things work and after that i decide to share it with anybody who wants to learn how exploit this vulnerability so Big shout out to zhero & inzo_ and you can find their blogpost here : "https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware"

## Goal
you should bypass the middlware and find the flag in admin page aslo you can read amazing assetnote research : "https://www.assetnote.io/resources/research/doing-the-due-diligence-analyzing-the-next-js-middleware-bypass-cve-2025-29927" that help you bypass it faster 

## Getting Started

1. Clone the repository:
```bash
git clone https://github.com/pouriam23/Next.js-Middleware-Bypass-CVE-2025-29927-.git
cd Next.js-Middleware-Bypass-CVE-2025-29927-
```

2. Install dependencies:
```bash
npm install
# or
yarn install
```

3. Set up environment variables:
Create a `.env` file in the root directory and add the following:
```env
DATABASE_URL="your-database-url"
JWT_SECRET="your-jwt-secret"
```

4. Initialize the database:
```bash
npx prisma generate
npx prisma db push
```

##  Running the CTF

Development mode:
```bash
npm run dev
# or
yarn dev
```
File Snapshot

 [4.0K]  /data/pocs/c3c01ea4a5d31361a0184dd0406786abef2907e3
├── [ 448]  components.json
├── [  91]  next.config.mjs
├── [ 228]  next-env.d.ts
├── [1.1K]  package.json
├── [229K]  package-lock.json
├── [ 135]  postcss.config.mjs
├── [4.0K]  prisma
│   ├── [4.0K]  migrations
│   │   ├── [4.0K]  20250420204712_init
│   │   │   └── [ 371]  migration.sql
│   │   └── [ 128]  migration_lock.toml
│   └── [ 623]  schema.prisma
├── [1.2K]  README.md
├── [4.0K]  src
│   ├── [4.0K]  app
│   │   ├── [4.0K]  admin
│   │   │   └── [ 646]  page.tsx
│   │   ├── [4.0K]  api
│   │   │   └── [4.0K]  auth
│   │   │       ├── [4.0K]  login
│   │   │       │   └── [1.5K]  route.ts
│   │   │       └── [4.0K]  register
│   │   │           └── [1.3K]  route.ts
│   │   ├── [4.0K]  dashboard
│   │   │   └── [2.5K]  page.tsx
│   │   ├── [ 25K]  favicon.ico
│   │   ├── [4.0K]  fonts
│   │   │   ├── [ 66K]  GeistMonoVF.woff
│   │   │   └── [ 65K]  GeistVF.woff
│   │   ├── [1.7K]  globals.css
│   │   ├── [ 742]  layout.tsx
│   │   ├── [4.0K]  login
│   │   │   └── [5.6K]  page.tsx
│   │   ├── [ 250]  page.tsx
│   │   └── [4.0K]  signup
│   │       └── [6.8K]  page.tsx
│   ├── [4.0K]  components
│   │   └── [4.0K]  ui
│   │       ├── [1.9K]  button.tsx
│   │       ├── [1.8K]  card.tsx
│   │       ├── [4.0K]  form.tsx
│   │       ├── [ 768]  input.tsx
│   │       └── [ 724]  label.tsx
│   ├── [4.0K]  generated
│   │   └── [4.0K]  prisma
│   │       ├── [  23]  client.d.ts
│   │       ├── [  36]  client.js
│   │       ├── [  23]  default.d.ts
│   │       ├── [  36]  default.js
│   │       ├── [  25]  edge.d.ts
│   │       ├── [7.0K]  edge.js
│   │       ├── [6.1K]  index-browser.js
│   │       ├── [ 69K]  index.d.ts
│   │       ├── [7.2K]  index.js
│   │       ├── [3.8K]  package.json
│   │       ├── [4.0K]  runtime
│   │       │   ├── [164K]  edge-esm.js
│   │       │   ├── [164K]  edge.js
│   │       │   ├── [ 11K]  index-browser.d.ts
│   │       │   ├── [ 34K]  index-browser.js
│   │       │   ├── [116K]  library.d.ts
│   │       │   ├── [196K]  library.js
│   │       │   ├── [177K]  react-native.js
│   │       │   └── [127K]  wasm.js
│   │       ├── [ 634]  schema.prisma
│   │       ├── [  23]  wasm.d.ts
│   │       └── [6.1K]  wasm.js
│   ├── [4.0K]  lib
│   │   ├── [1.6K]  auth.ts
│   │   ├── [ 166]  utils.ts
│   │   └── [4.0K]  validations
│   │       └── [1.3K]  auth.ts
│   └── [1.2K]  middleware.ts
├── [1.6K]  tailwind.config.ts
└── [ 578]  tsconfig.json

21 directories, 54 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →