Skip to content
ProjectsSecurityAIInfrastructureWritingContact
All writing

Tagged

#Next.js

1 post

Technical · 9 min

A Header You Were Never Supposed to Send: Detecting the Next.js Middleware Bypass

CVE-2025-29927 lets an external request skip Next.js middleware entirely — and with it every auth check built there — by sending one header the framework only ever meant to talk to itself. Here's the bug, and the Metasploit scanner I wrote to detect it without touching the data behind the gate.

Read

Newsletter

Notes from building & climbing

New essays and short notes — privacy-first software, AI, security, and the occasional rambling from the trail. Every other week, no filler.