来源

关联漏洞

描述

Exploit for CVE-2025-29927 (Next.js) - Authorization Bypass

介绍

# Exploit for CVE-2025-29927 (Next.js) - Authorization Bypass

![GitHub Cover](https://github.com/user-attachments/assets/c6e1e617-7da8-4be1-a74e-8a1f0b5321a0)

**Like this repo? Give us a ⭐!**

_For educational and authorized security research purposes only._

## Exploit Author

[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))

## Vulnerability Description

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

## Exploit Description

In vulnerable Next.js versions, it is possible to bypass authorization checks within an application, if the authorization check occurs in middleware, by sending requests which contain the `x-middleware-subrequest` header. This exploit assesses a target's Next.js version and sends various specially crafted headers to achieve middleware bypass.

## Usage

```bash
  python3 exploit-CVE-2025-29927.py -u <target-url>
  python3 exploit-CVE-2025-29927.py -u <target-url> [-v <version>] [-m <middleware>]
  python3 exploit-CVE-2025-29927.py -h
```

## Options

```
  -u    Target URL to check and exploit
  -v    Specify Next.js version if known (e.g., 15.2.0) [Optional]
  -m    Specify middleware file name/location if known (e.g. src/middleware) [Optional]
  -h    Show this help menu.
```

## Download

[Download exploit-CVE-2025-29927.py Here](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2025-29927/refs/heads/main/exploit-CVE-2025-29927.py)

## Exploit Requirements

- python3
- python3:requests
- python3:selenium

## Demo

![Demo](https://github.com/user-attachments/assets/1d547744-2808-430c-9c4f-0fbc1f97aff7)

## Tested On

Next.js Version 13.5.6

## Applies To

- Next.js Versions 15.0.0 - 15.2.2
- Next.js Versions 14.0.0 - 14.2.24
- Next.js Versions 13.0.0 - 13.5.8
- Next.js Versions 11.1.4 - 12.3.4

## Test Environment

```bash
cd vulnerable-next-app
docker compose up
python3 exploit-CVE-2025-29927.py -u http://localhost:3000/admin
```

## Credits

- https://nvd.nist.gov/vuln/detail/CVE-2025-29927
- https://github.com/advisories/GHSA-f82v-jwr5-mffw
- https://vercel.com/blog/postmortem-on-next-js-middleware-bypass

文件快照

 [4.0K]  /data/pocs/66a703f36acdd8262c45db3604123b8de1ff8396
├── [ 12K]  exploit-CVE-2025-29927.py
├── [2.6K]  README.md
├── [  26]  requirements.txt
└── [4.0K]  vulnerable-next-app
    ├── [4.0K]  app
    │   ├── [4.0K]  admin
    │   │   └── [ 948]  page.tsx
    │   ├── [ 297]  layout.tsx
    │   ├── [4.0K]  login
    │   │   └── [2.0K]  page.tsx
    │   └── [ 476]  page.tsx
    ├── [ 184]  docker-compose.yml
    ├── [ 792]  Dockerfile
    ├── [1.0K]  middleware.ts
    ├── [ 495]  package.json
    └── [ 70K]  package-lock.json

4 directories, 12 files

备注