Exploit for CVE-2025-29927

Name: Exploit for CVE-2025-29927
Rating: 5 (54 reviews)
2025-04-14 | CVSS 9.1
## https://sploitus.com/exploit?id=3AE45737-895B-5F0C-A7EE-DB53E86CA8DD
# Exploit for CVE-2025-29927 (Next.js) - Authorization Bypass

![GitHub Cover](https://github.com/user-attachments/assets/c6e1e617-7da8-4be1-a74e-8a1f0b5321a0)

**Like this repo? Give us a ⭐!**

_For educational and authorized security research purposes only._

## Exploit Author

[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))

## Vulnerability Description

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

## Exploit Description

In vulnerable Next.js versions, it is possible to bypass authorization checks within an application, if the authorization check occurs in middleware, by sending requests which contain the `x-middleware-subrequest` header. This exploit assesses a target's Next.js version and sends various specially crafted headers to achieve middleware bypass.

## Usage

```bash
  python3 exploit-CVE-2025-29927.py -u <target-url>
  python3 exploit-CVE-2025-29927.py -u <target-url> [-v <version>] [-m <middleware>]
  python3 exploit-CVE-2025-29927.py -h
```

## Options

```
  -u    Target URL to check and exploit
  -v    Specify Next.js version if known (e.g., 15.2.0) [Optional]
  -m    Specify middleware file name/location if known (e.g. src/middleware) [Optional]
  -h    Show this help menu.
```

## Download

[Download exploit-CVE-2025-29927.py Here](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2025-29927/refs/heads/main/exploit-CVE-2025-29927.py)

## Exploit Requirements

- python3
- python3:requests
- python3:selenium

## Demo

![Demo](https://github.com/user-attachments/assets/1d547744-2808-430c-9c4f-0fbc1f97aff7)

## Tested On

Next.js Version 13.5.6

## Applies To

- Next.js Versions 15.0.0 - 15.2.2
- Next.js Versions 14.0.0 - 14.2.24
- Next.js Versions 13.0.0 - 13.5.8
- Next.js Versions 11.1.4 - 12.3.4

## Test Environment

```bash
cd vulnerable-next-app
docker compose up
python3 exploit-CVE-2025-29927.py -u http://localhost:3000/admin
```

## Credits

- https://nvd.nist.gov/vuln/detail/CVE-2025-29927
- https://github.com/advisories/GHSA-f82v-jwr5-mffw
- https://vercel.com/blog/postmortem-on-next-js-middleware-bypass