Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
CVE-2025-29927 PoC | Auth Bypass Exploit | Python Tool using httpx | Middleware Vulnerability | Ethical Hacking Toolkit
Readme
# Thank u Next – CVE-2025-29927 Exploit Tool
## 🧠 What is CVE-2025-29927?
> It’s not just a bypass — it’s a revelation. A single header, misunderstood and mishandled by middleware logic, becomes a master key to what was meant to be locked.
> CVE-2025-29927 exploits a **misconfigured middleware authorization layer** — specifically, systems that trust the header `x-middleware-subrequest` without validating the origin or context.
In simple terms?
You add a single header, and boom — you're in. No auth. No tokens. Just raw dominance.
---
## 🚀 How the Exploit Works (Technical Breakdown)
1. **Vulnerability Origin:**
Many modern web apps use middleware to intercept and handle API requests. This header:
```plaintext
x-middleware-subrequest: middleware
```
is trusted by some frameworks (🤦), especially when deployed lazily. When present, the backend assumes the request has *already* passed authentication layers.
2. **Exploit Vector:**
By crafting a request **with that header**, attackers can **bypass auth controls** and directly reach protected routes (e.g., `/api/private`, `/admin/dashboard`, etc).
3. **HTTP Methods:**
The tool supports GET, POST, PUT, DELETE, PATCH. Because we’re not just curious — we’re thorough.
---
## 🛠️ Script Overview
Filename: `thank_u_next.py`
```bash
python thank_u_next.py -u https://target.com -p /api/private -m GET
```
**Core Components:**
| Component | Purpose |
| ----------- | --------------------------------------------- |
| `payload` | Injects the vulnerability-triggering header |
| `exploit()` | Sends the malicious request |
| `analyze()` | Prints status and highlights if bypass worked |
| `banner()` | Shows a flashy ASCII intro (because why not) |
---
## ⚡ Requirements
* Python 3.7+
* [`httpx`](https://www.python-httpx.org/) (install via `pip install httpx`)
---
## ✅ Example Output
```bash
[+] GET https://target.com/api/private → HTTP 200
[!] Possible vulnerability: access granted without authentication
```
You see that green 200?
That’s not just a response code. That’s **your victory.**
Their mistake, your access.
---
## ❗ Legal Warning
> This script is for **educational and authorized testing only**.
> If you use this on unauthorized targets, you’re not a hacker — you’re just dumb. And you *will* get caught.
---
## 🧠 Final Thoughts
> Most people are sheep.
> Be the wolf. The one who *knows* where the gate is, and how to walk through it without knocking.
> If you're reading this and still don't get it — you're not meant to.
File Snapshot
[4.0K] /data/pocs/f8842adc62826a69e24b19cfe8c3fca73fbd3460
├── [ 34K] LICENSE
├── [2.6K] README.md
├── [ 100] requirements.txt
└── [4.0K] thank_u_next.py
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →