Exploit for CVE-2025-29927

Name: Exploit for CVE-2025-29927
Rating: 5 (75 reviews)
2025-03-25 | CVSS 9.1
## https://sploitus.com/exploit?id=97BF9846-B1F7-50BD-A3D9-269C5E9C83B4
<div align="center">
  <a href="https://www.cybermaxx.com/?utm_source=github&utm_medium=githublink&utm_campaign=mssprinkler&utm_id=github">
  <img src="Images/cybermaxx_logo.png" width="500">
</a>

Testing script for CVE-2025-29927 Provided by CyberMaxx.
</div>

## CVE-2025-29927 Tester

This PowerShell script is designed to help security researchers and system administrators test for CVE-2025-29927 vulnerabilities in Next.js applications. It checks whether a target application is vulnerable to the middleware bypass issue by verifying the Next.js version and testing for potential security risks with middleware implementation.

### Features:

- Header inspection: Retrieves HTTP headers from the target URL to confirm whether Next.js is in use `(x-powered-by: Next.js)`.
- Version extraction: Searches the target application’s static JavaScript files for the version of Next.js being used.
- CVE-2025-29927 test: Tests the target application for a potential middleware bypass by sending a specially crafted x-middleware-subrequest header.

### Usage
Run from an administrative PowerShell window:
```PowerShell
.\test-cve-2025-29927.ps1 -TargetUrl <url>

# Example:
.\test-cve-2025-29927.ps1 -TargetUrl "http://localhost:3000"
```

### Example Output
<div align="center">
  <img src="Images/output.PNG" width="500">
</div>


### How Does It Work?
The script checks if Next.js is being used via the x-powered-by header. If Next.js is detected, it attempts to extract the version from common static assets like framework.js and main.js looking for vulnerable version info related to CVE-2025-29927.

The script then sends a request with the x-middleware-subrequest header and checks if the response is HTTP 200, which would indicate that the vulnerability is present.

### Mitigation
- Upgrade to a patched version of Next.js (13.5.9 or later).
- Validate or strip the x-middleware-subrequest header to prevent middleware bypass.
- Enhance authentication mechanisms and avoid relying solely on middleware for critical security.
- Limit the scope of middleware to only essential paths.
- Monitor and log suspicious activity related to middleware bypass attempts.
- Configure security headers like HSTS and CSP to protect your app.
- Regularly audit your codebase and dependencies for security issues.
Upgrade to the latest version

### Further Reading
- Original blogpost by Rachid Allam who discovered this vulnerability can be [found here](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware).

### Disclaimer
This script is intended for testing of assets that you have permission and are authorized to against CVE-2025-29927 only.

Usage of this script does not provided a guarantee that an application is / is not vulnerable, only that the items the script looks for are or are not present. The author of this script does not take responsibility for any consequences arising from its use.

By using this script, you agree to take full responsibility for your actions. Ensure you have explicit permission before testing any system that does not belong to you.