feat: add vuln module for NextJS middleware bypass CVE-2025-29927 (CISA KEV)

[Dami99-b]

Proposed change

Adds a vulnerability detection module for CVE-2025-29927, an
unauthenticated authorization bypass in Next.js listed in CISA's
Known Exploited Vulnerabilities catalog.

The module sends a GET request with the internal header:
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

If the server returns 200 and the response contains Next.js signatures
(NEXT_DATA, next/dist), the target is flagged as vulnerable.

Affected versions: Next.js < 12.3.5, < 13.5.9, < 14.2.25, < 15.2.3

Closes #1449

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a71c7101-8265-488c-a607-f3add6c30c09

📥 Commits

Reviewing files that changed from the base of the PR and between 0270f21 and dafc202.

📒 Files selected for processing (1)

• nettacker/modules/vuln/nextjs_cve_2025_29927.yaml

✅ Files skipped from review due to trivial changes (1)

• nettacker/modules/vuln/nextjs_cve_2025_29927.yaml

---

Summary by CodeRabbit

Release Notes

• New Features
  • Added vulnerability detection module for Next.js applications that scans common administrative paths across standard ports (80, 443, 3000, 8080).

Walkthrough

Adds a new vulnerability module nextjs_cve_2025_29927_vuln that issues unauthenticated GET requests with an x-middleware-subrequest header to common Next.js paths/ports and detects CVE-2025-29927 by matching HTTP 200 responses containing Next.js indicators.

Changes

Cohort / File(s)	Summary
New Vulnerability Module nettacker/modules/vuln/nextjs_cve_2025_29927.yaml	Adds nextjs_cve_2025_29927_vuln (severity 9) with author/description/references and classification tags; defines an HTTP GET payload setting {user_agent} and x-middleware-subrequest, disables TLS verification (ssl: false), templates targets across {schema} (http,https) and ports 80,443,3000,8080 with paths admin,dashboard,api/admin; detection requires status 200 and body regex `NEXT_DATA

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

new module

Suggested reviewers

• arkid15r

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a vulnerability module for NextJS middleware bypass CVE-2025-29927, with CISA KEV notation for context.
Description check	✅ Passed	The description provides relevant details about the vulnerability, exploitation method, affected versions, and the module's detection approach, all directly related to the changeset.
Linked Issues check	✅ Passed	The PR fully implements the requirements from issue #1449: adds the YAML module with correct exploit header, detection logic, affected versions, references, and documented test validation.
Out of Scope Changes check	✅ Passed	The changes are entirely within scope—only the new vulnerability module file is added, directly addressing the requirements specified in issue #1449.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/vuln/nextjs_cve_2025_29927.yaml`:
- Around line 37-41: The static Next.js asset
"_next/static/chunks/pages/_app.js" can produce false positives because it is
publicly served even on patched systems; remove that entry from the path list
(leave "admin", "dashboard", "api/admin") OR, if you must keep it as a
fingerprint, add an inline comment explaining it is only a heuristic and
strengthen the check in the detection logic (e.g., verify response body
signatures or auth-required headers rather than only HTTP 200) so the module
nextjs_cve_2025_29927.yaml does not treat public static assets as definitive
vulnerability evidence.
- Line 57: Update the regex value used for Next.js detection in the YAML's regex
field: replace the `_nextjs` token with the more accurate `_next/` so the
pattern becomes "__NEXT_DATA__|_next/|next/dist"; if `_nextjs` was intentionally
included for this CVE, add a short inline comment next to the regex explaining
that rationale instead of leaving the ambiguous `_nextjs` token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2b92c6fe-aed7-4b9f-be52-7f032434c71c

📥 Commits

Reviewing files that changed from the base of the PR and between f4c1bbf and 35739af.

📒 Files selected for processing (1)

• nettacker/modules/vuln/nextjs_cve_2025_29927.yaml

[syedsuzain]

@Dami99-b Before creating a PR you should atleast ask the person if he is currently working on the issue, you can't just create a PR on someone's issue directly

[Dami99-b]

@Dami99-b Before creating a PR you should atleast ask the person if he is currently working on the issue, you can't just create a PR on someone's issue directly

oh I sincerely apologise for any inconveniences this might have caused you.