{"id":993,"date":"2025-04-23T06:03:38","date_gmt":"2025-04-23T06:03:38","guid":{"rendered":"http:\/\/localhost\/?p=993"},"modified":"2025-04-23T06:03:38","modified_gmt":"2025-04-23T06:03:38","slug":"ghost-route-ghost-route-detects-if-a-next-js-site-is-vulnerable-to-the-corrupt-middleware-bypass-bug","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=993","title":{"rendered":"Ghost-Route – Ghost Route Detects If A Next JS Site Is Vulnerable To The Corrupt Middleware Bypass Bug (CVE-2025-29927)"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nGhost-Route – Ghost Route Detects If A Next JS Site Is Vulnerable To The Corrupt Middleware Bypass Bug (CVE-2025-29927)<\/td>\n<\/tr>\n
Type<\/th>\nkitploit<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-22T12:30:00<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-22T13:53:03<\/td>\n<\/tr>\n
CVSS Score<\/th>\n9.1 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nUNCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nNONE<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2025-29927<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\ntools<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ![](https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEilKvkxEHc-ev4Xsq_VY3ESgilrPqF1W1R_jweMVYs1iDsv6iox3-VhaMXUkL0GPAMhHxG2UAVEOD-wyhIBdXt8V2uLoN4vBKQuwDzzeDoFBLg61jLgz_1jwbXA1oOO7uRr0q1i3CKhn58GZdlHCUzT2HH6SNWbgmAtoAULvmfuDwPxIUm_SY5iNCrvAdc=w640-h254)<\/p>\n

A Python script to check Next.js sites for corrupt middleware vulnerability (CVE-2025-29927).<\/p>\n

The corrupt middleware vulnerability allows an attacker to bypass authentication and access protected routes by send a custom header `x-middleware-subrequest`. <\/p>\n

Next JS versions affected: – 11.1.4 and up<\/p>\n

> [!WARNING] This tool is for educational purposes only. Do not use it on websites or systems you do not own or have explicit permission to test. Unauthorized testing may be illegal and unethical.<\/p>\n

## Installation<\/p>\n

Clone the repo<\/p>\n

git clone https:\/\/github.com\/takumade\/ghost-route.git
\n cd ghost-route <\/p>\n

Create and activate virtual environment<\/p>\n

python -m venv .venv
\n source .venv\/bin\/activate <\/p>\n

Install dependencies<\/p>\n

pip install -r requirements.txt <\/p>\n

## Usage<\/p>\n

python ghost-route.py <\/p>\n

* ``: Base URL of the Next.js site (e.g., https:\/\/example.com)
\n * ``: Protected path to test (default: \/admin)
\n * ``: Show response headers (default: False)<\/p>\n

## Example<\/p>\n

Basic Example<\/p>\n

python ghost-route.py https:\/\/example.com \/admin <\/p>\n

Show Response Headers<\/p>\n

python ghost-route.py https:\/\/example.com \/admin True <\/p>\n

## License<\/p>\n

MIT License<\/p>\n

## Credits<\/p>\n

* CVE-2025-29927
\n * Next.js and the corrupt middleware: the authorizing artifact
\n * Rachid A.
\n * Yasser Allam<\/p>\n

**Download Ghost-Route**<\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n9.1<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n