feat: add vuln module for NextJS middleware bypass CVE-2025-29927 (CISA KEV)

[Dami99-b]

Proposed change

Adds a vulnerability detection module for CVE-2025-29927, an
unauthenticated authorization bypass in Next.js listed in CISA's
Known Exploited Vulnerabilities catalog.

The module sends a GET request with the internal header:
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

If the server returns 200 and the response contains Next.js signatures
(NEXT_DATA, next/dist), the target is flagged as vulnerable.

Affected versions: Next.js < 12.3.5, < 13.5.9, < 14.2.25, < 15.2.3

Closes #1449

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new vulnerability module nextjs_cve_2025_29927_vuln that issues unauthenticated GET requests with an x-middleware-subrequest header to common Next.js paths/ports and detects CVE-2025-29927 by matching HTTP 200 responses containing Next.js indicators.

Changes

Cohort / File(s)	Summary
New Vulnerability Module nettacker/modules/vuln/nextjs_cve_2025_29927.yaml	Adds nextjs_cve_2025_29927_vuln (severity 9) with author/description/references and classification tags; defines an HTTP GET payload setting {user_agent} and x-middleware-subrequest, disables TLS verification (ssl: false), templates targets across {schema} (http,https) and ports 80,443,3000,8080 with paths admin,dashboard,api/admin; response match: status 200 and body regex `NEXT_DATA

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

new module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a vulnerability module for CVE-2025-29927, a Next.js middleware bypass vulnerability in CISA's KEV catalog.
Description check	✅ Passed	The description is directly related to the changeset, explaining the proposed CVE-2025-29927 module, the exploitation mechanism, affected versions, and referencing the closed issue.
Linked Issues check	✅ Passed	The PR successfully implements all coding requirements from issue #1449: adds the vulnerability module with correct x-middleware-subrequest header, implements matching for NEXT_DATA/next/dist signatures and 200 response, includes multiple reference links, and addresses affected versions.
Out of Scope Changes check	✅ Passed	All changes are directly in scope; the single file added is the vulnerability module requested in issue #1449 with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/vuln/nextjs_cve_2025_29927.yaml`:
- Around line 37-41: The static Next.js asset
"_next/static/chunks/pages/_app.js" can produce false positives because it is
publicly served even on patched systems; remove that entry from the path list
(leave "admin", "dashboard", "api/admin") OR, if you must keep it as a
fingerprint, add an inline comment explaining it is only a heuristic and
strengthen the check in the detection logic (e.g., verify response body
signatures or auth-required headers rather than only HTTP 200) so the module
nextjs_cve_2025_29927.yaml does not treat public static assets as definitive
vulnerability evidence.
- Line 57: Update the regex value used for Next.js detection in the YAML's regex
field: replace the `_nextjs` token with the more accurate `_next/` so the
pattern becomes "__NEXT_DATA__|_next/|next/dist"; if `_nextjs` was intentionally
included for this CVE, add a short inline comment next to the regex explaining
that rationale instead of leaving the ambiguous `_nextjs` token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2b92c6fe-aed7-4b9f-be52-7f032434c71c

📥 Commits

Reviewing files that changed from the base of the PR and between f4c1bbf and 35739af.

📒 Files selected for processing (1)

• nettacker/modules/vuln/nextjs_cve_2025_29927.yaml