https://github.com/unicordev/exploit-cve-2025-29927

Exploit for CVE-2025-29927 (Next.js) - Authorization Bypass
https://github.com/unicordev/exploit-cve-2025-29927

authorization bypass exploit middleware nextjs python python3

Last synced: about 2 months ago
JSON representation

Exploit for CVE-2025-29927 (Next.js) - Authorization Bypass

• Host: GitHub
• URL: https://github.com/unicordev/exploit-cve-2025-29927
• Owner: UNICORDev
• Created: 2025-04-14T15:12:13.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-04-15T00:35:29.000Z (about 1 year ago)
• Last Synced: 2025-04-15T01:17:46.491Z (about 1 year ago)
• Topics: authorization, bypass, exploit, middleware, nextjs, python, python3
• Language: Python
• Homepage: https://unicord.dev/exploit-CVE-2025-29927
• Size: 13.7 KB
• Stars: 2
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Exploit for CVE-2025-29927 (Next.js) - Authorization Bypass

![GitHub Cover](https://github.com/user-attachments/assets/c6e1e617-7da8-4be1-a74e-8a1f0b5321a0)

**Like this repo? Give us a ⭐!**

_For educational and authorized security research purposes only._

## Exploit Author

[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))

## Vulnerability Description

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

## Exploit Description

In vulnerable Next.js versions, it is possible to bypass authorization checks within an application, if the authorization check occurs in middleware, by sending requests which contain the `x-middleware-subrequest` header. This exploit assesses a target's Next.js version and sends various specially crafted headers to achieve middleware bypass.

## Usage

```bash

  python3 exploit-CVE-2025-29927.py -u 

  python3 exploit-CVE-2025-29927.py -u  [-v ] [-m ]

  python3 exploit-CVE-2025-29927.py -h

```

## Options

```

  -u    Target URL to check and exploit

  -v    Specify Next.js version if known (e.g., 15.2.0) [Optional]

  -m    Specify middleware file name/location if known (e.g. src/middleware) [Optional]

  -h    Show this help menu.

```

## Download

[Download exploit-CVE-2025-29927.py Here](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2025-29927/refs/heads/main/exploit-CVE-2025-29927.py)

## Exploit Requirements

- python3

- python3:requests

- python3:selenium

## Demo

![Demo](https://github.com/user-attachments/assets/1d547744-2808-430c-9c4f-0fbc1f97aff7)

## Tested On

Next.js Version 13.5.6

## Applies To

- Next.js Versions 15.0.0 - 15.2.2

- Next.js Versions 14.0.0 - 14.2.24

- Next.js Versions 13.0.0 - 13.5.8

- Next.js Versions 11.1.4 - 12.3.4

## Test Environment

```bash

cd vulnerable-next-app

docker compose up

python3 exploit-CVE-2025-29927.py -u http://localhost:3000/admin

```

## Credits

- https://nvd.nist.gov/vuln/detail/CVE-2025-29927

- https://github.com/advisories/GHSA-f82v-jwr5-mffw

- https://vercel.com/blog/postmortem-on-next-js-middleware-bypass