More details here: <a href="https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware" rel="nofollow">https://zhero-web-sec.github.io/research-and-things/nextjs-a...</a><p>Hat tip ash: <a href="https://news.ycombinator.com/item?id=43451485">https://news.ycombinator.com/item?id=43451485</a>
Looks like it was possible to include the `x-middleware-subrequest` header in your request, tricking the state machine into thinking you'd passed auth already.<p>(Don't use the user input itself to encode state!)