Add Vuln Module for NextJS Middleware Bypass CVE-2025-29927 (CISA KEV) #1449
Description
Summary
CVE-2025-29927 is an unauthenticated authorization bypass vulnerability in Next.js framework. It affects Next.js versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3. The vulnerability is listed among CISA's Known Exploited Vulnerabilities catalog.
Description
Next.js uses an internal header x-middleware-subrequest to track recursive middleware calls and prevent infinite execution loops. In affected versions, this header is not stripped from incoming external requests before being processed. This allows an unauthenticated remote attacker to set this header in any HTTP request, causing the server to skip middleware execution entirely including any authentication, authorization, or access control logic and serve the protected resource directly. Exploitation requires a single unauthenticated GET request with no user interaction.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-29927
https://nextjs.org/blog/cve-2025-29927
GHSA-f82v-jwr5-mffw
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://github.com/EQSTLab/CVE-2025-29927
Testing
For the vulnerable instance, I deployed the Vulhub Docker environment (vulhub/next.js/CVE-2025-29927) running a vulnerable Next.js version. The module correctly sent a GET request with a
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
received a 200 OK response on a protected route, matched the NEXT_DATA signature in the response body confirming a Next.js application, and logged Detected. For the patched instance, I tested against Next.js v15.2.3 and confirmed the module returns no result.
It successfully passed both tests.
Proposal
I would like to submit a PR adding: CVE_2025_29927_vuln.yaml