Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/tobiasGuta/CVE-2025-29927-POC
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
Nuclei Template: CVE-2025-29927 - Next.js Middleware Authentication Bypass
Readme
# Nuclei Template: CVE-2025-29927 - Next.js Middleware Authentication Bypass
Description:
This Nuclei template detects CVE-2025-29927, a critical authentication bypass vulnerability in Next.js. The flaw allows attackers to bypass middleware-based authorization by adding a specific HTTP header (x-middleware-subrequest: middleware). This issue affects all Next.js versions before 14.2.25 and 15.2.3.

Read More: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

## How It Works
The template sends a GET request to the target URL with the malicious header.

If the response returns a 200 status code and contains protected content, the vulnerability is confirmed.

The extractor captures the response content for verification.

## Usage
Run the following command to test for the vulnerability:
```bash
nuclei -u http://10.10.137.3:3000/protected -t CVE-2025-29927.yaml
```
File Snapshot

 [4.0K]  /data/pocs/eb4f0ca11935e1d0e94ad52a6c58637443b7e9d7
├── [ 890]  CVE-2025-29927.yaml
└── [ 909]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →