{"uuid": "90cb81c6-5af4-4acc-af32-023d458f9732", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-29927", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/nextjs_middleware_auth_bypass.rb", "content": "{\"actions\": [], \"aliases\": [], \"arch\": \"\", \"author\": [\"Rachid Allam\", \"Yasser Allam\", \"Kenneth LaCroix\"], \"autofilter_ports\": [80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443], \"autofilter_services\": [\"http\", \"https\"], \"check\": true, \"default_credential\": false, \"description\": \"This module detects self-hosted Next.js applications affected by\\n          CVE-2025-29927, an authorization bypass in the middleware layer. Next.js\\n          tags its own internal subrequests with the x-middleware-subrequest header\\n          and skips middleware when it sees it. The header is trusted without\\n          verifying it originated internally, so an external client that supplies it\\n          causes middleware to be skipped entirely, bypassing any authentication,\\n          authorization, or redirects implemented there. Affected self-hosted\\n          versions are < 12.3.5, < 13.5.9, < 14.2.25, and < 15.2.3.\\n\\n          The module performs a differential check: it sends a baseline request to a\\n          user-supplied, normally middleware-gated path (expecting a redirect or a\\n          401/403), then repeats the request with a crafted x-middleware-subrequest\\n          header. If the gate disappears (the protected resource is served, or the\\n          middleware redirect to login is gone), the target is reported vulnerable.\\n          This is detection only; the module does not act on the bypassed response.\", \"disclosure_date\": \"2025-03-21\", \"fullname\": \"auxiliary/scanner/http/nextjs_middleware_auth_bypass\", \"is_install_path\": true, \"mod_time\": \"2026-06-21 12:02:08 +0000\", \"name\": \"Next.js Middleware Authorization Bypass Scanner\", \"needs_cleanup\": false, \"notes\": {\"Reliability\": [], \"SideEffects\": [\"ioc-in-logs\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/auxiliary/scanner/http/nextjs_middleware_auth_bypass.rb\", \"platform\": \"\", \"post_auth\": false, \"rank\": 300, \"ref_name\": \"scanner/http/nextjs_middleware_auth_bypass\", \"references\": [\"CVE-2025-29927\", \"GHSA-f82v-jwr5-mffw\", \"URL-https://projectdiscovery.io/blog/nextjs-middleware-authorization-bypass\"], \"rport\": 3000, \"session_types\": false, \"targets\": null, \"type\": \"auxiliary\"}", "creation_timestamp": "2026-06-24T15:45:11.412942Z"}