Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
sfba.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon instance for the San Francisco Bay Area. Come on in and join us!

Administered by:

Server stats:

2.4K
active users

sfba.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.4

Darren

just wow. that’s a proper security security vulnerability! None of this messy packing bytes into some arrangement that’s probably processor specific. just ask politely to skip all the middle layer with the authentication in it and go straight to the api call. I’m sure are all over it. infosec.exchange/@hdm/11420944

Infosec ExchangeHD Moore (@hdm@infosec.exchange)Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps. Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone. You can find links to the advisory and queries for runZero at: https://www.runzero.com/blog/next-js/
Mar 23, 2025, 02:54 PM·Public·Ivory for iOS
0boosts·0favorites
ExploreLive feeds
About