-
-
Save and0x00/38fd282e67b521a4c2f35ead11c91fa7 to your computer and use it in GitHub Desktop.
Revisions
-
fourcube created this gist
Mar 24, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,27 @@ metadata: language: v2-beta name: "CVE-2025-29927 - Next.js middleware bypass" description: "Checks for differences in responses when using different x-middleware-subrequest header paths" author: "Chris Grieger - blueredix.com" tags: "next.js", "middleware" run for each: middleware_value = "pages/_middleware", "middleware", "src/middleware", "middleware:middleware:middleware:middleware:middleware", "src/middleware:src/middleware:src/middleware:src/middleware:src/middleware" given request then send request called check: headers: "x-middleware-subrequest": {middleware_value} if not({base.response.status_code} is {check.response.status_code}) or {base.response} differs from {check.response} then report issue: severity: high confidence: firm detail: "Different response detected when using a specific value for the in x-middleware-subrequest header." remediation: "The application responds differently when sending a request with the x-middleware-subrequest header. This could potentially be used to bypass middleware protections." end if