来源

关联漏洞

描述

PoC | NextJS Middleware 15.2.2 - Authorization Bypass 

介绍

# CVE-2025-29927 - Next.js Middleware 15.2.2 - Authorization Bypass 

⚠️ Critical Authentication Bypass in NextJS Middleware  
🛠️ PoC implementation by @zs1n

---

## 💡 Overview

NextJS is a popular React-based web framework, has an authentication vulnerability that affects versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3,this consist in the improper trust on `x-middleware-subrequest` header.When to spoofing this header, attackers can be bypass the middleware logic, This results in authentication and authorization mechanisms that are not normally permitted, gaining access to routes that are not permitted. 

---

## 🛠 Technical Breakdown

NextJS uses middleware to enforce the security policies such as authentication and authorization before routing requests. Because this header is blindly trusted by the framework, an attacker can Spoofing this header, which causes an improper handling of the `middleware` header, that causes effectively bypassing authentication. This lets any network user can be see o gain access to routes that are not permitted.

---

## 🔥 Vulnerable Header

`x-middleware-subrequest` — NextJS vulnerable Header

---

## 💥 Exploitation

An attacker can send a request with a spoofer `x-middleware-subrequest` to impersonate an internal request.

---

## 🔬 Clone the repositori on your machine.

```bash
git clone https://github.com/zs1n/CVE-2025-29927
```

### 🚀 Launching the Exploit

Run the exploit script CVE-2025-29927.py.

```bash
python3 CVE-2025-29927.py -u http://128.43.16.13/api/auth
```

## 📝 References

- [OffSec | CVE-2025-29927 Detail/Blog ](https://www.offsec.com/blog/cve-2025-29927/)

文件快照

 [4.0K]  /data/pocs/ac59a56263fe9b272077b9442c9c6918a4b0e208
├── [1.4K]  CVE-2025-29927.py
└── [1.6K]  README.md

0 directories, 2 files

备注