# CVE‑2025‑29927 POC: Next.js Middleware Authorization Bypass This repository (**MuhammadWaseem29/CVE‑2025‑29927‑POC**) provides a **Proof of Concept (PoC)** for **CVE‑2025‑29927**, demonstrating how a specially crafted HTTP request can bypass middleware-based authorization in Next.js applications. Designed for educational and security‑research use only—testing without explicit consent is unethical and illegal. ## 📋 Table of Contents - Prerequisites - Vulnerability Overview - PoC Walkthrough - Built‑in Exploitation Logic - Detection & Exploitation Template - Affected Versions & Impact - Mitigation Strategies - Why It Matters ## ✅ Prerequisites - A Next.js application using **middleware** for protecting routes - An HTTP client (e.g. `curl`, Burp Suite, custom script) - Understanding of HTTP headers, especially `x-middleware-subrequest` ## 🔍 Vulnerability Overview - CVE‑2025‑29927 is a **critical authorization bypass** vulnerability in Next.js - Attackers can bypass middleware security controls by adding a malicious `x-middleware-subrequest` header to HTTP requests - Affected Next.js versions include: - 11.1.4 ≤ v < 12.3.5 - 12.x

Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

CVE‑2025‑29927 POC: Next.js Middleware Authorization Bypass

NikolasHume

CVE‑2025‑29927 POC: Next.js Middleware Authorization Bypass

This repository (MuhammadWaseem29/CVE‑2025‑29927‑POC) provides a Proof of Concept (PoC) for CVE‑2025‑29927, demonstrating how a specially crafted HTTP request can bypass middleware-based authorization in Next.js applications. Designed for educational and security‑research use only—testing without explicit consent is unethical and illegal.

📋 Table of Contents

Prerequisites
Vulnerability Overview
PoC Walkthrough
Built‑in Exploitation Logic
Detection & Exploitation Template
Affected Versions & Impact
Mitigation Strategies
Why It Matters

✅ Prerequisites

A Next.js application using middleware for protecting routes
An HTTP client (e.g. curl, Burp Suite, custom script)
Understanding of HTTP headers, especially x-middleware-subrequest

🔍 Vulnerability Overview

CVE‑2025‑29927 is a critical authorization bypass vulnerability in Next.js
Attackers can bypass middleware security controls by adding a malicious x-middleware-subrequest header to HTTP requests
Affected Next.js versions include:
- 11.1.4 ≤ v < 12.3.5
- 12.x < 12.3.5; 13.x < 13.5.9; 14.x < 14.2.25; 15.x < 15.2.3

🧪 PoC Walkthrough in the Repository

The PoC repository walks through two key steps:

Step 1: Initial Request (Unauthorized)
- Request to protected endpoint (e.g. /dashboard) without custom header is redirected or denied.
Step 2: Modified Request (Authorization Bypassed)
- Same endpoint accessed with X-Middleware-Subrequest header containing middleware path (e.g. middleware or src/middleware).
- Access granted, demonstrating bypass of middleware logic

📝 Detection & Exploitation Template

A Nuclei template provided by ProjectDiscovery helps scan for CVE‑2025‑29927 automatically:

| Phase | Action |
|--------------------------------|--------|
| Detect Next.js | Request base URL; check for "_next/static" in response body. |
| Enumerate endpoints | Extract URLs via regex href=['"](\/[^.\"']+). |
| Identify protected routes | Check for x-middleware-rewrite, x-middleware-next, or x-middleware-redirect headers in responses (non-200). |
| Attempt bypass | Resend with header x-middleware-subrequest: middleware:middleware:… |
| Validate bypass | If response status is 200, vulnerability is confirmed. |

Template applies to typical middleware naming conventions: middleware, src/middleware, or pages/_middleware for older versions.

⚠️ Impact & Affected Versions

Affected Next.js versions:

Fixed in:
- Next.js 12.3.5, 13.5.9, 14.2.25, 15.2.3 and later

Potential impacts:

Unauthorized access to protected routes
Bypass of authentication, CSP enforcement, redirects
Cache poisoning / DoS if middleware also handles localization or rewriting and attacker forces error responses to cache

🔧 Mitigation Strategies

Upgrade Next.js to patched versions:
- 12.3.5, 13.5.9, 14.2.25, or 15.2.3 and above
Block or strip x-middleware-subrequest header at:
- Load balancer (e.g. AWS ELB, Cloudflare)
- Web server (e.g. Nginx: proxy_set_header x-middleware-subrequest "";)
- Custom front‑end middleware to remove the header before Next.js processes it
Implement redundant authorization checks downstream of middleware logic.

🎯 Why It Matters

Next.js powers many modern web applications (e-commerce, dashboards, content platforms)
Use of middleware for routing, redirects, auth, and headers is common
A single HTTP header can override security logic—simple but extremely dangerous

📚 Further Reading & Reference

NVD entry for CVE‑2025‑29927
Datadog Security Research blog on the exploit mechanism
JFrog Advanced Security analysis with technical insights and impact assessment
ProjectDiscovery Nuclei template and scan guidance
Rapid7 analysis highlighting context and variable impact

📝 Conclusion

This Proof of Concept clearly demonstrates that CVE‑2025‑29927 enables attackers to bypass middleware-based authorization in vulnerable Next.js applications by injecting a crafted x-middleware-subrequest header. With no complex exploitation required, it's urgent that developers patch vulnerable versions and implement header filtering or redundant auth checks to protect against this critical vulnerability.

📱

Download Now—Top Software, No Cost!