Next.js and the corrupt middleware: the authorizing artifact

👤 by Rachid Allam & Yasser Allam

Researchers have discovered a critical vulnerability in Next.js, a popular framework for building web applications. The flaw allows attackers to bypass middleware responsible for request processing, including authentication and path rewrites.

By adding the x-middleware-subrequest header with a specific value, an attacker can completely ignore middleware execution, gaining unauthorized access to protected resources. Additionally, the vulnerability can be exploited for denial-of-service (DoS) attacks by poisoning the cache, leading to service disruption.

Many versions of Next.js are affected, making this a widespread security concern.

📝 Contents:
● The Next.js middleware
● The authorizing artifact artifact: old code, 0ld treasure
• Execution order and middlewareInfo.name
● The authorizing artifact: nostalgia has its charm, but living in the moment is better
• /src directory
• Max recursion depth
● Exploits
• Authorization/Rewrite bypass
• CSP bypass
• DoS via Cache-Poisoning (what?)
• Clarification
● Security Advisory - CVE-2025-29927
● Disclaimer
● Conclusion

https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

🔥 The "impossible" XXE in PHP? Not so impossible anymore.

Our researcher Aleksandr Zhurnakov discovered an interesting combination of PHP wrappers and a feature of XML parsing in libxml2 to exploit it.

Read: https://swarm.ptsecurity.com/impossible-xxe-in-php/

📟 Our researcher a1exdandy has uncovered vulnerabilities in GD32 microcontrollers (GigaDevice) that bypass protection mechanisms, allowing memory extraction.

The article 👉 https://swarm.ptsecurity.com/gigavulnerability-readout-protection-bypass-on-gigadevice-gd32-mcus/