Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-29927 PoC — Authorization Bypass in Next.js Middleware

Source
https://github.com/tobiasGuta/CVE-2025-29927-POC
Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)
Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
Nuclei Template: CVE-2025-29927 - Next.js Middleware Authentication Bypass
Readme
# Nuclei Template: CVE-2025-29927 - Next.js Middleware Authentication Bypass
Description:
This Nuclei template detects CVE-2025-29927, a critical authentication bypass vulnerability in Next.js. The flaw allows attackers to bypass middleware-based authorization by adding a specific HTTP header (x-middleware-subrequest: middleware). This issue affects all Next.js versions before 14.2.25 and 15.2.3.

Read More: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

## How It Works
The template sends a GET request to the target URL with the malicious header.

If the response returns a 200 status code and contains protected content, the vulnerability is confirmed.

The extractor captures the response content for verification.

## Usage
Run the following command to test for the vulnerability:
```bash
nuclei -u http://10.10.137.3:3000/protected -t CVE-2025-29927.yaml
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →