来源

关联漏洞

描述

Critical vulnerability in next.js : Bypass middleware authentication

介绍

# CVE-2025-29927: Next.js Middleware Bypass Vulnerability

## Overview

This repository provides educational information about CVE-2025-29927, a critical vulnerability in Next.js that allows attackers to bypass middleware-based security controls. 

**IMPORTANT: This information is provided strictly for educational and defensive purposes only. Using this knowledge to exploit vulnerable systems without authorization is illegal and unethical.**

## Vulnerability Details

- **CVE ID**: CVE-2025-29927
- **Severity**: Critical (CVSS 9.1)
- **Disclosure Date**: March 21st, 2025
- **Affected Versions**:
  - Next.js 15.x (prior to 15.2.3)
  - Next.js 14.x (prior to 14.2.25)
  - Next.js 11.1.4 through 13.5.6

## Technical Explanation

The vulnerability stems from improper handling of the internal `x-middleware-subrequest` HTTP header in Next.js. This header was designed to prevent recursive middleware processing, but attackers can manipulate it to completely bypass middleware execution.

In Next.js applications, middleware often implements critical security functions like:
- Authentication checks
- Authorization controls
- Request validation
- Security headers implementation
- Rate limiting

By exploiting this vulnerability, attackers can access protected routes and resources without proper authentication or authorization.

## Proof of Concept

The repository includes code samples demonstrating:
1. A vulnerable Next.js application with middleware-based authentication
2. How the vulnerability can be exploited
3. How to properly mitigate the issue

## Mitigation

### Update to Patched Versions
- For Next.js 15.x: Update to version 15.2.3 or later
- For Next.js 14.x: Update to version 14.2.25 or later
- For versions 11.1.4 through 13.5.6: Apply the workarounds described below

### Temporary Workarounds

If immediate updating is not possible, implement one of these workarounds:

#### 1. Using a reverse proxy (Nginx):
```nginx
# Strip the vulnerable header before it reaches your Next.js application
proxy_set_header x-middleware-subrequest "";
```

#### 2. Using Apache:
```apache
# Remove the header from incoming requests
RequestHeader unset x-middleware-subrequest
```

#### 3. Using Express.js:
```javascript
// Add middleware to strip the vulnerable header
app.use((req, res, next) => {
  delete req.headers['x-middleware-subrequest'];
  next();
});
```

## Learning Resources

- [Official Next.js Documentation](https://nextjs.org/docs)
- [OWASP Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [Web Application Security Best Practices](https://cheatsheetseries.owasp.org/)

## Responsible Disclosure

If you discover security vulnerabilities, always follow responsible disclosure practices:
1. Report the issue to the vendor/maintainer directly
2. Provide them reasonable time to address the issue
3. Do not publicly disclose until a patch is available
4. Never exploit vulnerabilities on systems without explicit permission

## Disclaimer

This repository is intended solely for educational purposes to help developers understand and protect against this vulnerability. The authors do not condone or support any malicious use of this information.

文件快照

 [4.0K]  /data/pocs/dd1ae8331cc1b311f4955a9cee5f0037a5e01643
├── [4.3K]  main.py
└── [3.1K]  README.md

0 directories, 2 files

备注