1. Authorization bypass via CVE-2025-29927 in Next.js

• Access the page and we get the admin button, but need to login

• After try to brute force passwd, i relize that this page run Next.js and have a new CVE with id is CVE-2025-29927

• Open Setting → Tools → Proxy and add rule to Match and replace rules

• Now, we can access admin page

2. Arbitrary File Read Vulnerability via XML external entity (XXE) injection

• After access admin page, go around and we can view and edit setting with XML format

• Use simple payload to read arbitrary file

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>

3. Use /proc/self/cwd/ to read current source path

• After read alot files like:
  • /proc/mounts
  • /root/.bash_history
  • …
• All of them don’t have any necessary information, so it’s time to read source code
• But in Next.js, owner can set any name for project https://nextjs.org/docs/app/getting-started/installation so we can’t know path of web root