来源

关联漏洞

描述

This repository contains a proof of concept (POC) and an exploit script for CVE-2025-29927, a critical vulnerability in Next.js that allows attackers to bypass authorization checks implemented in middleware.

介绍

# Next.js Middleware Bypass (CVE-2025-29927) Proof of Concept

This repository contains a **proof of concept (POC)** for **CVE-2025-29927**, a critical vulnerability in **Next.js** that allows attackers to bypass authorization checks implemented in middleware.

## 📋 Table of Contents
1. [Running the POC Application](#running-the-poc-application)
2. [Using the Exploit Script](#using-the-exploit-script)
3. [How to Fix the Vulnerability](#how-to-fix-the-vulnerability)
4. [Vulnerability Details](#vulnerability-details)

---

## Running the POC Application

This Next.js application demonstrates the vulnerability with a protected dashboard route.

### Setup Instructions

1. Clone the repository
2. Install and run:
    ```bash
    npm install
    npm run build
    npm run start
    ```
3. Access http://localhost:3000 in your browser
4. Try accessing the protected dashboard at /dashboard

---

## Using the Exploit Script

The exploit script can test any Next.js application for this vulnerability.

### Usage
```bash
npm run exploit <target-url>
```

### Example
```bash
npm run exploit http://localhost:3000/dashboard
```

### How it Works
The exploit tool:
1. Takes a target URL as input
2. Makes a normal request to check if the route is protected
3. Attempts to bypass middleware using the `x-middleware-subrequest` header
4. Compares responses to determine vulnerability

### Sample Output
```bash
=== Next.js CVE-2025-29927 Middleware Bypass Tester ===
Target: http://localhost:3000/dashboard

Testing vulnerability...
Normal request status: 307
Bypass request status: 200

⚠️  VULNERABLE
The route is protected but accessible with the bypass header
```

---

## How to Fix the Vulnerability

A fix implementation is available in the [how-to-fix branch](https://github.com/kOaDT/poc-cve-2025-29927/tree/how-to-fix).

### Quick Fixes
1. **Update Next.js Version** (Recommended)
   - Update to one of these patched versions:
     - Next.js 15.x → **15.2.3**
     - Next.js 14.x → **14.2.25**
     - Next.js 13.x → **13.5.9**
     - Next.js 12.x → **12.3.5**

2. **Implement Secondary Validation**
   - Add authentication checks in your API routes/pages
   - Don't rely solely on middleware for security

### Sample Output
```bash
=== Next.js CVE-2025-29927 Middleware Bypass Tester ===

Target: http://localhost:3000/dashboard

Testing vulnerability...
Making request without bypass header...
Making request with bypass header...
Normal request status: 307
Bypass request status: 307

✓ NOT VULNERABLE - Protected Route
The route is protected and the bypass attempt was unsuccessful
Normal request redirected to: /
Bypass request redirected to: /
```

---

## Vulnerability Details

### CVE Information
- **CVE ID**: CVE-2025-29927
- **Affected Versions**:
  - 13.0.0 - 13.5.8
  - 14.0.0 - 14.2.24
  - 15.0.0 - 15.2.2
  - 11.1.4 - 12.3.4

### Description
Next.js uses an internal header `x-middleware-subrequest` to prevent recursive requests. This vulnerability allows attackers to **bypass middleware security checks** by manipulating this header.

### Impact
- Unauthorized access to protected routes
- Bypass of authentication checks
- Circumvention of security middleware

### Affected Environments
- Self-hosted Next.js applications using Middleware

### References
- [Next.js Security Advisory](https://nextjs.org/blog/cve-2025-29927)
- [GitHub Security Advisory](https://github.com/advisories/GHSA-f82v-jwr5-mffw)

---

## Disclaimer

This tool is provided for educational and testing purposes only. Only use this tool on systems you own or have explicit permission to test.

文件快照

 [4.0K]  /data/pocs/5bd5894c653d2bb5be381f3421872290e8808043
├── [4.0K]  app
│   ├── [4.0K]  dashboard
│   │   └── [ 192]  page.tsx
│   ├── [2.5K]  globals.css
│   ├── [ 864]  layout.tsx
│   └── [1.6K]  page.tsx
├── [4.2K]  exploit.js
├── [1.4K]  middleware.ts
├── [ 233]  next.config.js
├── [ 681]  package.json
├── [163K]  package-lock.json
├── [4.0K]  public
│   ├── [1.3K]  next.svg
│   └── [ 629]  vercel.svg
├── [3.5K]  README.md
├── [ 261]  tailwind.config.ts
└── [ 663]  tsconfig.json

3 directories, 14 files

备注