CVE-2025-29927: Next.js Middleware Exploit This tool demonstrates and automates the exploitation of CVE-2025-29927, a vulnerability in Next.js that allows an attacker to bypass middleware checks (like authentication) by abusing the internal header x-middleware-subrequest. How the Exploit Works Next.js internally uses the header x-middleware-subrequest to prevent infinite loops in recursive requests. However, this header is not protected against external manipulation in certain versions, allowing a malicious actor to spoof it. By setting this header manually, middleware logic responsible for enforcing authentication, redirects, logging, or filtering is completely skipped. What This Tool Does: Sends a baseline request (without header) Iterates over multiple payloads for x-middleware-subrequest Compares response body content Detects and reports: Confirmed Bypass: status 403 becomes 200 Response Difference: status stays the same, but content differs (partial bypass or unintended behavior) Saves results in clean output files for further analysis Affected Versions Next.js 15.x < 15.2.3 Next.js 14.x < 14.2.25 Next.js 13.x < 13.5.9 Vulnerable Targets: Self-hosted Next.js apps using middleware (e.g., next start with output: standalone) Applications where middleware is used for authentication or security enforcement, and not re-validated at runtime Not Vulnerable: Apps hosted on Vercel or Netlify Static exports (next export) Exploit in Action Example Middleware…Read More