## https://sploitus.com/exploit?id=810A1966-D60B-5967-A113-BB35654CF0CA
This is a sample [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`] for practically explaining how cve-2025-29927 works. (https://nextjs.org/docs/app/api-reference/cli/create-next-app).
## Getting Started
First, run the development server:
```bash
npm run dev
# or
yarn dev
# or
pnpm dev
# or
bun dev
```
Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
NOW You Can Use Burp or Other Browser extensions to modify the Headers and exploit the Middleware using the payload.
When a next.js application uses a middleware, the runMiddleware function is used, the latter - beyond its main utility - retrieves the value of the x-middleware-subrequest header and uses it to know if the middleware should be applied or not. The header value is split to create a list using the column character (:) as a separator and then checks if this list contains the middlewareInfo.name value.
This means that if we add the x-middleware-subrequest header with the correct value to our request, the middleware - whatever its purpose - will be completely ignored, and the request will be forwarded via NextResponse.next() and will complete its journey to its original destination without the middleware having any impact/influence on it. The header and its value act as a universal key allowing rules to be overridden. At this point we already know that we have just unearthed something crazy.
![Uploading next-middleware-2.png…]()
Make a note that we are using "next": "14.0.4" here.