Post

Bird Nest

Posted
By bitwall.ke
1 min read
Bird Nest

bird net

In this walkthrough, we are going to reproduce CVE-2025-29927 in a vulnerable instance of Bird Nest, a challenge built to simulate real-world exploitation of CVE-2025-29927 in the BitSiegeCTF 2025.

🐦 Challenge Overview: Bird Next

Bird Nest is a minimalist web app built with Next.js v13.4.12, where unauthenticated users can view a protected page.

Objective: Access the protected page called Get your flag.

🔍 CVE-2025-29927

Next.js introduced the internal header x-middleware-subrequest to avoid infinite recursion in middleware. This header includes route metadata that tells Next.js which middleware already executed.

❗ Vulnerability

An attacker can manipulate the x-middleware-subrequest header and trick Next.js into skipping middleware execution — effectively bypassing any checks placed there.

Read the full research here:
Next.js and the Corrupt Middleware

Bird Nest CTF Walkthrough

  1. Visit the URL provided Bird Nest alt text

  2. Use curl to identify technologies used as shown below. alt text

  3. After observing that the web application is powered by Next.js and that the challenge name was Bird nest, this was a big clue on what to research on.
  4. Looking online for Next.js recent vulnerabilities results in top posts showing articles of CVE-2025-29927. alt text
  5. Now, search for CVE-2025-29927 exploits. alt text
  6. The exploit shows how adding an X-Middleware-Subrequest header results in authentication bypass. alt text
  7. Now, using curl, we can add the X-Middleware-Subrequest and try access the protected resource. curl -H "x-middleware-subrequest: middleware" http://54.152.96.1:3000/protected alt text
  8. For those using Burp suite, proxy your request and intercept traffic while navigating the protected resource. alt text
  9. Add the X-Middleware-Subrequest header and forward the request. alt text
  10. And there you go! you bypassed authentication and accessed protected resources. alt text

🔐 Mitigation

  • Upgrade Next.js to v15.2.3 or later — this version includes the official fix for CVE-2025-29927.
  • Backported patches are available for older supported branches (check the advisory).

📌 Official Advisory:
Next.js Security Advisory for CVE-2025-29927 →

writeups, ctf, bitsiegectf2025
web next.js cve-2025-29927
This post is licensed under CC BY 4.0 by the author.