Like this repo? Give us a ⭐!
For educational and authorized security research purposes only.
@UNICORDev by (@NicPWNs and @Dev-Yeoj)
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
In vulnerable Next.js versions, it is possible to bypass authorization checks within an application, if the authorization check occurs in middleware, by sending requests which contain the x-middleware-subrequest header. This exploit assesses a target's Next.js version and sends various specially crafted headers to achieve middleware bypass.
python3 exploit-CVE-2025-29927.py -u <target-url>
python3 exploit-CVE-2025-29927.py -u <target-url> [-v <version>] [-m <middleware>]
python3 exploit-CVE-2025-29927.py -h -u Target URL to check and exploit
-v Specify Next.js version if known (e.g., 15.2.0) [Optional]
-m Specify middleware file name/location if known (e.g. src/middleware) [Optional]
-h Show this help menu.
Download exploit-CVE-2025-29927.py Here
- python3
- python3:requests
- python3:selenium
Next.js Version 13.5.6
- Next.js Versions 15.0.0 - 15.2.2
- Next.js Versions 14.0.0 - 14.2.24
- Next.js Versions 13.0.0 - 13.5.8
- Next.js Versions 11.1.4 - 12.3.4
cd vulnerable-next-app
docker compose up
python3 exploit-CVE-2025-29927.py -u http://localhost:3000/admin