Next.js Middleware Authorization Bypass

This repository is a standalone Next.js proof-of-concept application demonstrating CVE-2025-29927, a middleware authentication bypass in vulnerable Next.js versions. It is not part of a common exploit framework. The core exploit logic is intentionally simple: the app protects /admin routes only through middleware.ts, and the README documents that sending the forged header x-middleware-subrequest: middleware causes vulnerable Next.js to skip middleware execution entirely. Repository structure: the meaningful source is under app/ and middleware.ts, while .next/ contains build artifacts. app/page.tsx is a public landing page; app/login/page.tsx and app/login/actions.ts implement a demo login flow with hardcoded credentials and set an auth-token cookie; app/admin/layout.tsx provides the admin shell; app/admin/page.tsx, app/admin/users/page.tsx, and app/admin/settings/page.tsx contain mock sensitive data intended to show impact after bypass; app/api/logout/route.ts clears the cookie. README.md explains the vulnerability, affected versions, curl PoC, and mitigation guidance. admin-settings.html and exploit_output.html appear to be captured HTML outputs showing successful access to protected content. Main exploit capability: unauthenticated access to protected admin content by header manipulation alone. There is no RCE, shell, or post-exploitation payload. The exploit demonstrates confidentiality impact by exposing mock employee records, API keys, database credentials, SMTP settings, internal hostnames, internal IPs, and secrets from protected pages. The middleware checks for cookie auth-token == valid-session-xyz123 and redirects unauthenticated users to /login, but this logic is bypassed entirely on vulnerable Next.js versions when the crafted header is supplied. Notable findings: package.json pins next 14.2.20, which falls in the vulnerable range described in the README. The exploit is operational as a realistic web-app demo but remains a POC because the payload is just a static forged header and there is no reusable automation script beyond documented curl examples.

This repository is a small Next.js proof-of-concept demo for CVE-2025-29927, showing middleware authorization bypass via the x-middleware-subrequest header. It is not an automated exploit toolkit; instead, it provides a vulnerable web application that demonstrates how middleware-only protection can be bypassed. Repository structure: the core logic is in app/page.tsx, app/cool/page.tsx, app/uncool/page.tsx, and middleware.ts. app/page.tsx presents a form, sets the isCool cookie to true or false depending on whether the user enters the hardcoded phrase 'Cool password', and then always navigates to /cool. middleware.ts protects only the /cool route by checking request.cookies.get('isCool')?.value === 'true'; otherwise it rewrites the destination to /uncool via redirect. app/cool/page.tsx and app/uncool/page.tsx are simple destination pages used to visualize successful or failed access control. app/page.tsx.backup shows an earlier version where routing logic happened client-side instead of through middleware. Exploit capability: the vulnerability is an authorization bypass against middleware-enforced access control. According to the README, a request sent directly to /cool with x-middleware-subrequest set to 'middleware:middleware:middleware:middleware:middleware' can bypass the middleware and reach the protected page even without a valid cookie. This demonstrates that relying solely on Next.js middleware for security decisions is unsafe on vulnerable versions. There is no reverse shell, command execution, persistence, or post-exploitation logic. No external C2, callback, or hardcoded remote infrastructure is present. The only notable observables are the local demo URL, the protected and redirect paths, the isCool cookie, and the crafted header/value used for the bypass.

Repository is a multi-PoC lab for three Next.js vulnerabilities, not a single offensive implant or framework module. Structure is cleanly split into pocs/ for vulnerable demo apps and scripts/ for reproduction drivers, with docker-compose.yml orchestrating vulnerable and fixed side-by-side containers. Languages are primarily JavaScript/Node.js with Docker and YAML support files. CVE-2025-29927 PoC: a minimal Next.js app protects /dashboard only via middleware in pocs/cve-2025-29927/middleware.js. The exploit script scripts/run-cve-2025-29927.mjs sends a normal request and then a second request with attacker-controlled x-middleware-subrequest set to repeated middleware names. On vulnerable versions, this causes middleware recursion-depth logic to be treated as already exhausted, skipping middleware execution and exposing the protected dashboard. Capability: authorization bypass. CVE-2026-27978 PoC: the app in pocs/cve-2026-27978 exposes a Server Action transferFunds that records a transfer if a session cookie exists. The helper endpoints /api/login, /api/reset, and /api/state support setup and observation. The exploit script scripts/run-cve-2026-27978.mjs obtains a victim session cookie from /api/login, fetches the page to parse the generated $ACTION_* field, then submits the form with Cookie plus Origin: null. On vulnerable versions, the Server Action executes and mutates state. Capability: CSRF-style state-changing action execution under a victim session. CVE-2026-29057 PoC: the app in pocs/cve-2026-29057 rewrites /rewrites/* to an external intermediary at http://127.0.0.1:4000. support/server.js launches three components: Next.js on port 3000, an intermediary proxy on 4000, and a backend on 5000 that records requests into /tmp/cve-2026-29057-state.json. The exploit script scripts/run-cve-2026-29057.mjs uses raw TCP via node:net to send a crafted chunked DELETE /rewrites/poc containing a smuggled GET /secret. On vulnerable versions, both requests are observed by the backend. Capability: HTTP request smuggling through rewrite/proxy behavior. Overall purpose: provide reproducible, side-by-side vulnerable/fixed environments to validate and study three Next.js security issues. The repository is a legitimate proof-of-concept suite with active exploit logic, not merely documentation or passive detection.

Repository is a standalone Python proof-of-concept and scanner for CVE-2025-29927, a Next.js middleware authorization bypass caused by trusting the x-middleware-subrequest header. The main exploit file, exploit/cve_2025_29927.py, creates a requests session, sends a normal GET to a protected path, then repeats the request with x-middleware-subrequest: 1, and marks the target vulnerable when the normal request is blocked (302/401/403) but the crafted request returns 200 and contains admin-related keywords. It supports single-path testing, auto-scanning of common protected routes, loading custom path lists, saving results, and an exploit mode that retrieves protected content. The companion file exploit/batch_scanner.py scales this logic to multiple targets using a thread pool. It can read URLs from a file or generate HTTP targets from single IPs, dash ranges, or CIDR ranges, defaulting to port 3000. This makes the repository capable of both validation and broad network scanning for exposed vulnerable Next.js apps. The repository also includes a full vulnerable lab under target/: a Dockerized Next.js 15.1.0 application with intentionally vulnerable middleware in target/src/middleware.ts. That middleware protects /admin, /api/admin, /api/config, and /dashboard, but immediately allows requests containing x-middleware-subrequest: 1 before checking the auth-token cookie. The admin page demonstrates impact by exposing simulated user/account data and configuration secrets. Additional markdown docs explain usage, vulnerability mechanics, and defensive mitigations. Overall purpose: provide an operational web exploit and batch scanner for detecting and exploiting middleware auth bypass in vulnerable Next.js deployments, plus a reproducible local target for testing and demonstration.

This repository is a small intentionally vulnerable Next.js lab that demonstrates CVE-2025-29927 as a middleware authentication bypass. It is not part of a larger exploit framework; instead, it is a standalone proof-of-concept web application. The core vulnerable logic is in middleware.ts, where access control for three API namespaces (/api/admin, /api/internal, /api/private) is enforced solely by checking for the cookie lab-auth=authenticated. The exploit capability comes from sending a crafted x-middleware-subrequest header, which the README and homepage document as causing middleware to be skipped on vulnerable Next.js 14.2.24, allowing unauthenticated access to protected handlers. Repository structure is simple: app/page.tsx is the instructional landing page, middleware.ts contains the vulnerable authorization gate, and three route handlers under app/api/* return synthetic sensitive data. app/api/admin/secret/route.ts returns an admin secret flag, app/api/internal/health/route.ts returns internal diagnostics, and app/api/private/data/route.ts returns simulated private user data. Supporting files include standard Next.js config and package metadata. No reverse shell, command execution, persistence, or post-exploitation payloads are present; the repository demonstrates only web-layer auth bypass and disclosure of protected JSON resources. The exploit is therefore a web attack vector focused on header manipulation against a vulnerable Next.js deployment. The main fingerprintable targets are the three protected API endpoints and the required cookie/header values. Overall, this is a realistic educational PoC/lab rather than a weaponized exploit.

This repository is a small self-hosted lab and PoC for CVE-2025-29927, a Next.js middleware authorization bypass. It is not a framework module; it contains a minimal vulnerable Next.js application under `JSR-next15/`, a Bash PoC (`poc.sh`), and supporting documentation in `README.md` and `docs/CVE-2025-29927-Analysis-Report.md`. Core exploit capability: the PoC sends a request to a protected route, by default `http://localhost:3000/admin`, with a crafted `X-Middleware-Subrequest` header set to `middleware:middleware:middleware:middleware:middleware`. In vulnerable self-hosted Next.js versions, this can cause the middleware recursion-prevention logic to skip execution of `middleware()`. Because the lab’s auth check exists only in `JSR-next15/middleware.js`, skipping middleware allows unauthenticated access to `src/pages/admin.js` without the required `lab-auth=1` cookie. Repository structure and purpose: - `JSR-next15/middleware.js`: the key vulnerable lab logic. It logs request path, `x-middleware-subrequest`, and cookie headers; checks for cookie `lab-auth=1`; returns HTTP 401 JSON on failure; and applies only to `/admin/:path*`. - `JSR-next15/src/pages/admin.js`: protected page with no secondary auth validation, intentionally demonstrating the impact of middleware bypass. - `JSR-next15/src/pages/index.js`: landing page advertising the lab and linking to `/admin`. - `poc.sh`: main exploit script. It derives a Host header from the target URL and performs the crafted `curl` request. - `Dockerfile` and `docker-compose.yml`: package and expose the lab on port 3000 for local reproduction. - `docs/CVE-2025-29927-Analysis-Report.md`: detailed write-up of affected versions, attack scenario, example attacker/victim IPs, and mitigation guidance. The exploit is operational but simple: it provides a hardcoded header-based bypass request rather than a customizable exploitation framework. No malware or post-exploitation payload is present; the result is unauthorized page access only.

Repository is a small Next.js 15.2.2 + NextAuth (credentials) web app named “PhotoResizer Pro” that doubles as an exploitation walkthrough. Structure: - Auth & access control: `middleware.ts` applies `next-auth/middleware` to `/dashboard(.*)` and `/api(.*)`. Login UI is `app/login/page.tsx`; auth config is `app/lib/auth.ts` using env vars `AUTH_USERNAME`/`AUTH_PASSWORD` and JWT sessions. - Protected functionality: `app/dashboard/page.tsx` provides a file upload form that POSTs to `/api/upload` and then displays the returned image via `/api/images/<filename>`. - Vulnerable server routes: - `app/api/upload/route.ts`: writes the uploaded file to `process.cwd()/uploads` and then runs ImageMagick via `child_process.exec()` with `shell: '/bin/bash'`. The command string interpolates user-controlled `file.name` into the output path (`resized_ + filename`) without safe quoting/whitelisting, enabling OS command injection via crafted filenames. - `app/api/images/[filename]/route.ts`: serves files from the uploads directory after a session check; includes basic traversal checks for `..`, `/`, `\\`. Exploit chain described in README: 1) Enumerate web paths; `/dashboard` and `/api/*` are protected by middleware. 2) Bypass middleware using CVE-2025-29927 by sending a spoofed `x-middleware-subrequest` header containing the middleware name (e.g., repeated `middleware` segments). This causes Next.js to skip middleware execution, granting access to protected routes without a valid session. 3) Use the bypass to reach `/api/upload` and trigger command injection by uploading a file with a malicious filename that appends shell commands (e.g., reverse shell one-liners). This yields RCE as the web service user. 4) README includes an optional post-exploitation privilege escalation scenario (environment-specific): `webuser` can run `sudo /usr/bin/cat /etc/shadow` without a password, enabling offline cracking and root access. Overall purpose: a deliberately vulnerable training/CTF-style application demonstrating (a) Next.js middleware bypass (CVE-2025-29927) and (b) command injection in server-side image processing via ImageMagick `convert` executed through a shell.

This repository contains a Python proof-of-concept exploit for CVE-2025-29927, a critical vulnerability in Next.js that allows attackers to bypass middleware-based authorization by sending requests with the 'x-middleware-subrequest' header. The main file, 'CVE-2025-29927.py', is a command-line tool that sends crafted HTTP requests to a specified Next.js server and path, both with and without the malicious header. It checks for access to protected content and saves successful responses to 'vuln_middleware.html'. The exploit is configurable via command-line arguments for hostname, port, path, HTTP method, and header value. The repository also includes a README.md with detailed vulnerability information and usage instructions, and a requirements.txt listing 'colorama' as a dependency. The exploit demonstrates the vulnerability but does not provide weaponized or post-exploitation payloads.

This repository provides a Python proof-of-concept exploit for CVE-2025-29927, a high-severity vulnerability in certain versions of Next.js. The exploit script (cve-2025-29927.py) attempts to detect the Next.js version running on a target web application and tests a series of common and sensitive endpoints for unauthorized access by manipulating the 'x-middleware-subrequest' HTTP header. The script compares the responses of normal and header-manipulated requests to identify potential bypasses of access controls, which could allow attackers to access internal files or endpoints. The repository consists of a README.md with usage instructions and the main exploit script. The exploit is network-based, targeting web applications, and does not deliver a shell or persistent payload, but rather demonstrates the vulnerability by probing for unauthorized access. The code is structured for clarity and research purposes, making it suitable for security testing and vulnerability verification.

This repository is a proof-of-concept (POC) Next.js 12.2 application designed to demonstrate CVE-2025-29927, a critical authentication middleware bypass vulnerability affecting Next.js versions 11.1.4 through 15.2.2. The application includes a simple authentication system with hardcoded credentials (admin/admin), a protected /admin dashboard, and a vulnerable middleware (middleware.js) that checks for an 'auth' cookie to allow access to /admin routes. The exploit leverages the 'x-middleware-subrequest' HTTP header to bypass the authentication middleware, granting unauthenticated access to the admin panel and exposing sensitive information. The repository contains 12 files, primarily JavaScript code for the Next.js application, with key entry points in middleware.js and the pages/api and pages/ directories. The README provides detailed instructions for exploiting the vulnerability using various tools (browser extensions, curl, Python requests) and describes mitigation steps. No fake or detection-only scripts are present; the repository is a functional POC exploit for educational and demonstration purposes.

This repository provides a proof-of-concept (POC) for CVE-2025-29927, a vulnerability in Next.js (version 15.1.7) that allows authentication bypass via crafted HTTP headers. The repository is structured into two main directories: 'vulnerable/' contains a Dockerized Next.js application with the vulnerable version, and 'fixed/' contains a patched version (Next.js 15.2.3). The exploit leverages the 'x-middleware-subrequest' HTTP header to bypass authentication checks in the middleware, granting unauthorized access to the /admin page. The README.md provides detailed instructions for building, running, and exploiting the vulnerable application. The codebase is primarily JavaScript (middleware and page components), with supporting Dockerfiles and package.json files for environment setup. No hardcoded IPs or external domains are present; the exploit targets localhost for demonstration. The repository is intended for research and defensive validation, not for use in production environments.

This repository is an educational lab simulating CVE-2025-29927, a Next.js middleware authentication bypass vulnerability. The structure includes a Dockerized Next.js application with custom middleware (middleware.js) that is intentionally vulnerable: it checks for an 'auth' cookie or an 'x-token' HTTP header containing the substring 'admin' (case-insensitive). The exploit (exploit.sh) demonstrates three scenarios: normal access (redirects to /login), legitimate access (with 'auth=admin' cookie), and the exploit (sending an 'x-token' header containing 'admin' to bypass authentication). Upon successful bypass, the user can access the /admin page and retrieve a flag from the /api/flag endpoint, which reads from /opt/flag.txt. The repository is clearly marked for educational use only, with instructions to run locally in Docker. The main exploit capability is HTTP header manipulation to bypass middleware authentication checks.

This repository is a Proof-of-Concept (PoC) for demonstrating an authentication bypass vulnerability in a Next.js application using middleware-based authentication. The application is structured as a simple admin dashboard with login functionality. Authentication is handled by checking for the presence of two cookies: 'next_username' and 'next_password'. If these cookies are set to 'admin' and 'password', access is granted to protected pages; otherwise, the user is redirected to the login page. The exploit involves setting these cookies manually in the browser, thereby bypassing the login form and gaining unauthorized access to the admin dashboard. The repository includes Docker support for easy deployment and is primarily written in JavaScript (Next.js/React). No external network endpoints are hardcoded except for the local web server (port 3000). The main files of interest are 'middleware.js' (which implements the authentication logic), 'app/login/page.js' (login form), and 'app/page.js' (dashboard).

This repository provides a comprehensive proof-of-concept and testing toolkit for CVE-2025-29927, a critical authentication/authorization bypass in Next.js middleware. The vulnerability allows attackers to bypass middleware-based access controls by supplying a crafted 'X-Middleware-Subrequest' HTTP header, causing Next.js to treat the request as an internal subrequest and skip middleware checks. The repository includes: - A detailed README explaining the vulnerability, affected versions, and mitigation strategies. - A Nuclei YAML template ('nextjs_nuclei_scan.yaml') for automated active and passive detection of the vulnerability, supporting multiple payloads and endpoint discovery. - A Python script ('scan.py') for multithreaded scanning of multiple targets and paths, sending requests with various crafted 'X-Middleware-Subrequest' header values and analyzing responses for signs of successful bypass. - A sample Next.js application (in 'nextjs/' directory) with middleware enforcing authentication, which can be used as a testbed for the exploit. The main exploit capability is the ability to bypass authentication/authorization on vulnerable Next.js applications by manipulating HTTP headers. The repository is operational and provides both detection and exploitation tools, with clear instructions and code for both automated and manual testing. The attack vector is network-based, targeting HTTP(S) endpoints of Next.js applications. No hardcoded IPs or domains are present; the tools are designed to be used against user-specified targets.

This repository is a proof-of-concept (POC) exploit for CVE-2025-29927, targeting Next.js version 15.2.0. The codebase is a sample Next.js application that demonstrates a logic flaw in the authentication middleware. The middleware (middleware.js) is intended to restrict access to the /dashboard route to authenticated users only, redirecting unauthenticated users to /login. However, the exploit demonstrates that this check can be bypassed, allowing unauthenticated access to the protected /dashboard page. The repository includes all necessary application files, including authentication logic (lib/auth.js), middleware, and React components for login and dashboard pages. The exploit does not use a traditional payload but instead leverages a logic flaw in the authentication flow. The main attack vector is web-based, targeting the application's HTTP endpoints. No external network endpoints, IPs, or domains are hardcoded; all endpoints are relative to the deployed Next.js application.

This repository is a proof-of-concept (POC) for CVE-2025-29927, an authorization bypass vulnerability in Next.js (versions 12, 13, and 14). The repository contains a minimal Next.js application with a protected API endpoint at /api/hello, enforced by a middleware that checks for a specific Authorization header. The exploit demonstrates that by crafting the 'x-middleware-subrequest' HTTP header with repeated 'middleware' values, an attacker can bypass the authorization middleware and gain unauthorized access to the protected endpoint. The README provides detailed reproduction steps, including curl commands for both normal and bypassed access. The codebase includes standard Next.js files, middleware logic in middleware.js, and the vulnerable API route in app/api/hello/route.js. No detection scripts or fake code are present; the repository is focused on demonstrating the exploit. The main attack vector is HTTP header manipulation targeting the /api/hello endpoint.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-29927, a critical authentication and authorization bypass vulnerability in Next.js middleware affecting versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3. The exploit is implemented in a single Python script (CVE-2025-29927.py) that sends an HTTP GET request to a user-supplied target URL, spoofing the 'x-middleware-subrequest' header with a crafted value. If the target is vulnerable, this bypasses the middleware's authentication and authorization checks, granting unauthorized access to protected routes. The repository also includes a detailed README.md explaining the vulnerability, exploitation steps, and usage instructions. The exploit is network-based and requires the attacker to know the target URL of a vulnerable Next.js application.

This repository is a deliberately vulnerable Next.js (13.x) application designed for pentesting and educational purposes, specifically to demonstrate CVE-2025-29927 (Next.js Middleware Authorization Bypass). The application features a password-protected admin panel at '/admin', with authentication handled via a simple cookie set upon successful login at '/auth/signin'. The middleware in 'middleware.ts' is intended to restrict access to '/admin' routes, but due to the vulnerability, unauthorized users can bypass this protection and access admin functionality. The application exposes several endpoints: the main site at 'http://localhost:3000', the admin panel at '/admin', and an API at '/api/items' for managing items stored in 'data/data.json'. The codebase is primarily TypeScript and includes both frontend (React/Next.js) and backend (API route) components. The repository structure is typical for a Next.js app, with clear separation of pages, API routes, configuration, and static assets. No weaponized payload is included; the exploit is a proof-of-concept environment for demonstrating the effects of the middleware bypass vulnerability. The repository is not part of a larger exploit framework and is intended for local testing and security research.

This repository is a Next.js application named 'Man-in-the-middle' designed to demonstrate a vulnerability in Next.js middleware authentication. The application uses a PostgreSQL backend and Prisma ORM, with user authentication implemented via JWT tokens. The main exploit scenario involves unauthorized access to the protected API endpoint /api/auth/flag-is-here, which returns a sensitive flag (ORION{CVE-2025-29927}). Access to this endpoint is intended to be restricted to admin users by middleware.ts, which checks JWT tokens and user roles. However, the README and code comments suggest a vulnerability in the middleware logic, potentially allowing attackers to bypass authentication and retrieve the flag. The repository includes all necessary infrastructure for local or Docker-based deployment, with seeded admin credentials for testing. The main attack vector is HTTP, targeting the API endpoint. The codebase is primarily TypeScript, with supporting configuration and migration files. No evidence of weaponization or automated exploitation is present; this is a proof-of-concept application for demonstrating the described vulnerability.

This repository contains two files: 'exploit-test.js' and 'linkspider.py'. 'exploit-test.js' is a proof-of-concept exploit script targeting CVE-2025-29927, a Next.js middleware bypass vulnerability. The script attempts to access protected pages on www.m6.fr by sending HTTP GET requests with and without the 'x-middleware-subrequest: middleware' header. It checks if protected content can be accessed without proper authentication, indicating a successful bypass. The script prints out the results, including status codes, redirection, and content snippets if protected data is exposed. 'linkspider.py' is a simple web crawler using Scrapy. It recursively crawls all links within the m6.fr domain, outputting discovered URLs. This can be used for reconnaissance to enumerate all accessible endpoints on the target domain. The main exploit capability is the ability to test and potentially exploit a middleware bypass on Next.js applications, specifically demonstrated against www.m6.fr. The repository provides both an exploit and a reconnaissance tool, making it useful for both vulnerability verification and target mapping.

This repository contains a single Python exploit script ('thank_u_next.py') targeting CVE-2025-29927, a vulnerability in web applications that use middleware trusting the 'x-middleware-subrequest' HTTP header for authentication. The exploit works by sending HTTP requests with this header set to 'middleware', which can trick vulnerable middleware into granting unauthorized access to protected routes. The script supports multiple HTTP methods (GET, POST, PUT, DELETE, PATCH) and provides clear output indicating whether the bypass was successful. The README provides a detailed technical breakdown, usage instructions, and legal warnings. The only code file is 'thank_u_next.py', which is the entry point and contains all exploit logic. No hardcoded endpoints are present, but the script is designed to be used against arbitrary URLs and paths specified by the user. The exploit is operational, requiring only Python 3.7+ and the 'httpx' library.

This repository provides a proof-of-concept (PoC) exploit for a fictional Next.js middleware bypass vulnerability (CVE-2025-29927). The main file, 'poc.py', is a Python 3 script that allows a user to test whether a protected route in a Next.js application can be accessed by bypassing middleware authentication. The exploit works by sending a GET request to a specified route (default '/admin') on a target host, optionally using a custom 'x-middleware-subrequest' header, custom User-Agent, and proxy settings. The script is class-based, supports verbose/debug output, and is designed for clarity and maintainability. The README provides detailed usage instructions, options, and expected output. The only code file is 'poc.py', which serves as the entry point and contains all exploit logic. No hardcoded credentials or static payloads are present; the exploit is interactive and requires user-supplied target information. The attack vector is network-based, targeting HTTP(S) endpoints of Next.js applications. The repository is a well-structured PoC for educational and research purposes.

This repository is a proof-of-concept (POC) for CVE-2025-29927, an authorization bypass vulnerability in Next.js (versions 11 through 14). The repository contains a minimal Next.js application with a custom middleware (middleware.js) that checks for a specific Authorization header on API routes. The exploit leverages the 'x-middleware-subrequest' HTTP header to bypass the middleware's authorization logic, allowing unauthorized access to protected endpoints such as /api/hello. The README.md provides detailed reproduction steps, including curl commands for both normal and bypassed access, and explains how the exploit applies to different Next.js versions (using either middleware.js or _middleware.js). The main code files are middleware.js (the vulnerable middleware), next.config.mjs (Next.js configuration), and package.json (project dependencies). The attack vector is network-based, targeting HTTP API endpoints. No hardcoded IPs or external domains are present; the exploit is demonstrated on localhost. This repository is not a detection script but a working exploit POC for the specified CVE.

This repository is a Docker-based lab environment for demonstrating and testing the Next.js CVE-2025-29927 vulnerability, which is a critical authorization bypass in Next.js middleware. The lab includes a full-featured e-commerce application built with Next.js, a MySQL backend, and Docker orchestration for easy setup. The vulnerability allows attackers to bypass middleware-based authentication by sending the X-Middleware-Subrequest HTTP header, granting unauthorized access to protected routes such as /admin. The repository contains both the vulnerable application code and detailed documentation (README.md, VULNERABILITY.md) on how to reproduce the exploit, as well as mitigation strategies. The main attack vector is network-based, targeting HTTP endpoints exposed by the Next.js server. The exploit does not require authentication and can be performed by manipulating HTTP headers in requests to protected routes. The codebase is primarily JavaScript/Node.js, with supporting files in SQL, CSS, Dockerfile, and YAML. The structure includes Next.js API routes, middleware, models, and service layers, all orchestrated for local testing of the vulnerability.

This repository is a proof-of-concept (POC) exploit for CVE-2025-29927, a vulnerability in Next.js (versions 13.x < 13.5.9, 14.x < 14.2.25, 15.x < 15.2.3) that allows attackers to bypass middleware-based authentication by sending the internal header 'x-middleware-subrequest: middleware'. The repository is a Next.js application with a simple authentication system. The 'middleware.ts' file enforces authentication for the '/protected' route by checking for an 'auth-token' cookie. The 'app/page.tsx' file provides a login button that sets this cookie, and 'app/protected/page.tsx' displays sensitive information only if the user is authenticated. The exploit is performed by sending a request to the protected route with the header 'x-middleware-subrequest: middleware', which causes the middleware to be bypassed, granting access to the protected content without authentication. This can be demonstrated using curl or Burp Suite as described in the README. No fake or malicious code is present; the repository is a legitimate POC for the described vulnerability. The main attack vector is network-based, targeting HTTP endpoints protected by Next.js middleware. The repository structure is typical for a Next.js app, with clear separation of pages, middleware, and configuration files.

This repository provides a functional exploit for CVE-2025-29927, a critical authorization bypass vulnerability in Next.js middleware. The exploit consists of a Python script (exploit.py) that allows an attacker to test and exploit the vulnerability by sending crafted HTTP(S) requests to a target Next.js application. The script first sends a baseline request to determine if middleware-based authentication is present (indicated by a 307 redirect). It then attempts to bypass the middleware by including the 'x-middleware-subrequest: middleware' header in a follow-up request. If the bypass is successful, the attacker gains unauthorized access to protected routes. The repository includes a README.md with detailed usage instructions and a requirements.txt listing dependencies (requests, colorama, beautifulsoup4). The exploit targets Next.js versions prior to 15.2.3, 14.2.25, 13.5.9, and 12.3.5, and is effective against self-hosted deployments that use middleware for access control. No hardcoded endpoints are present; the user specifies the target host, port, and path at runtime.