ET WEB_SERVER Next.js CVE-2025-29927 middleware bypass attempt

0xThiebaut · March 23, 2025, 5:21pm

In reference to CVE-2025-29927:

alert http any any -> $HTTP_SERVERS any (msg: "ET WEB_SERVER Next.js CVE-2025-29927 middleware bypass attempt"; flow: established, to_server; http.header_names; content: "|0d 0a|x-middleware-subrequest|0d 0a|"; nocase; reference:url,nextjs.org/blog/cve-2025-29927; reference:cve,2025-29927; metadata: attack_target Web_Server, deployment Datacenter, signature_severity Major, tag NextJS, affected_product NextJS_15_2_2, cve CVE_2025_29927, created_at 2025_03_23; classtype: web-application-attack; sid: 1; rev: 1;)

Example request using PoC:

GET /dashboard HTTP/1.1
Host: localhost:3000
User-Agent: curl/8.10.1
Accept: */*
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

stu4rt · March 24, 2025, 8:36pm

Hi @0xThiebaut, you’ll find coverage for CVE-2025-29927 in today’s release.

Topic	Replies	Views
Ruleset Update Summary - 2023/10/12 - v10438 Ruleset Updates	1330	October 12, 2023
Ruleset Update Summary - 2023/10/29 - v10451 Ruleset Updates	323	October 29, 2023
Ruleset Update Summary - 2024/11/30 - v10763 Ruleset Updates	26	November 30, 2024
Ruleset Update Summary - 2025/01/16 - v10839 Ruleset Updates	126	January 16, 2025
Ruleset Update Summary - 2024/05/22 - v10601 Ruleset Updates	223	May 22, 2024

ET WEB_SERVER Next.js CVE-2025-29927 middleware bypass attempt

Related topics