Authorization Bypass in Next.js Middleware
by theschmed on 3/23/2025, 2:00:32 PM
More details here: https://zhero-web-sec.github.io/research-and-things/nextjs-a...
Hat tip ash: https://news.ycombinator.com/item?id=43451485
by cjbprime on 3/22/2025, 4:34:32 PM
Looks like it was possible to include the `x-middleware-subrequest` header in your request, tricking the state machine into thinking you'd passed auth already.
(Don't use the user input itself to encode state!)
More details here: https://zhero-web-sec.github.io/research-and-things/nextjs-a...
Hat tip ash: https://news.ycombinator.com/item?id=43451485