Share 
## https://sploitus.com/exploit?id=2152E73B-A6AE-5D01-954A-B9C3C9FB5AC1
# CVE-2025-29927-PoC-Exploit
Proof-of-Concept for Authorization Bypass in Next.js Middleware

You can run this against a vulnerable version here: https://github.com/lirantal/vulnerable-nextjs-14-CVE-2025-29927

# Running

Execution is straightforward.

1. Python3 CVE-2025-29927-PoC-Exploit.py

It will prompt you to type the domain name. (You have two options: First, type only a domain name. Second, domain name with path)

If you type it like this "domain.com" it will try to brute force the authenticated paths and try those once it finds one with status code 200.

Alternatively you can provdie the authenticated page by yourself for example "domain.com/admin/clients"

In this case it will show only the result for this endpoint.

Results are displayed as JSON.


![image](https://github.com/user-attachments/assets/2e55acb4-2732-41fe-8037-63c92ba5a015)