来源

关联漏洞

描述

A deliberately Next.js app, vulnerable to CVE-2025-29927, Authorization Bypass 

介绍

# 🕷️ Next.js CVE-2025-29927 

## 🧑🏻‍💼 Legal Disclaimer

This project is a [Next.js](https://nextjs.org) application that has been **intentionally configured to be vulnerable** to an Authorization Bypass in Next.js Middleware ([CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw)). It is provided **solely for lawful, educational, and research purposes**.

By accessing, using, or distributing this code, you acknowledge and agree that:

- You will **only use this project in controlled environments** (such as local test labs or legally authorized systems).
- You will **not attempt to exploit this vulnerability on any system** for which you do not have explicit, written permission.
- The maintainers of this project **do not condone or encourage any unauthorized or malicious activity**, and expressly disclaim any liability for misuse of this code or information.

## 🛫 How To Run

Install [Docker](https://docs.docker.com/engine/install/) and then run:

```bash
 docker build -t next-cve-2025-29927 . 

 docker run -p 3000:3000 next-cve-2025-29927
```

Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.


## 👩‍🏫 How To Exploit the Vulnerable app

Capture the request using an intercepting proxy such as ZAP or Burp, and inject the following header into the request:

`x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware`



## 📑 Affected versions 

&gt;= 13.0.0, < 13.5.9

&gt;= 14.0.0, < 14.2.25

&gt;= 15.0.0, < 15.2.3

&gt;= 11.1.4, < 12.3.5

## 🛠️ Remediation

Patch to the latest versions 

13.5.9

14.2.25

15.2.3

12.3.5

or if you cannot update, block the requests which contain the `x-middleware-subrequest` header.


## 🙇🏻‍♂️ Learn More

To learn more about the vulnerability, take a look at the following resources:

- [Exploring CVE-2025-29927: A Hands-On Look at Authorization Bypass in Next.js Middleware](https://www.riccardosirigu.com/blog/exploring-cve-2025-29927-a-hands-on-look-at-authorization-bypass-in-nextjs-middleware/) 
- [inzo_ and zhero, who disclosed the vulnerability](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware)
- [Next.js Advisory on Github](https://github.com/advisories/GHSA-f82v-jwr5-mffw)
- [CVE-2025-29927](https://nvd.nist.gov/vuln/detail/CVE-2025-29927) 

文件快照

 [4.0K]  /data/pocs/d0df771e447b07ec344d881e73f98f1e81e63277
├── [4.0K]  app
│   ├── [4.0K]  admin
│   │   └── [ 371]  page.tsx
│   ├── [ 25K]  favicon.ico
│   ├── [  79]  globals.css
│   ├── [ 689]  layout.tsx
│   ├── [1016]  page.tsx
│   └── [4.0K]  wrong
│       └── [ 524]  page.tsx
├── [ 716]  Dockerfile
├── [ 393]  eslint.config.mjs
├── [ 384]  middleware.ts
├── [ 129]  next.config.ts
├── [ 583]  package.json
├── [323K]  package-lock.json
├── [  81]  postcss.config.mjs
├── [4.0K]  public
│   ├── [ 391]  file.svg
│   ├── [1.0K]  globe.svg
│   ├── [1.3K]  next.svg
│   ├── [ 128]  vercel.svg
│   └── [ 385]  window.svg
├── [2.3K]  README.md
└── [ 598]  tsconfig.json

4 directories, 20 files

备注