Next.js and the corrupt middleware: the authorizing artifact

👤 by Rachid Allam & Yasser Allam

Researchers have discovered a critical vulnerability in Next.js, a popular framework for building web applications. The flaw allows attackers to bypass middleware responsible for request processing, including authentication and path rewrites.

By adding the x-middleware-subrequest header with a specific value, an attacker can completely ignore middleware execution, gaining unauthorized access to protected resources. Additionally, the vulnerability can be exploited for denial-of-service (DoS) attacks by poisoning the cache, leading to service disruption.

Many versions of Next.js are affected, making this a widespread security concern.

📝 Contents:
● The Next.js middleware
● The authorizing artifact artifact: old code, 0ld treasure
• Execution order and middlewareInfo.name
● The authorizing artifact: nostalgia has its charm, but living in the moment is better
• /src directory
• Max recursion depth
● Exploits
• Authorization/Rewrite bypass
• CSP bypass
• DoS via Cache-Poisoning (what?)
• Clarification
● Security Advisory - CVE-2025-29927
● Disclaimer
● Conclusion

https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE

👤 by Egidio Romano

The article analyzes a critical Unauthenticated Remote Code Execution vulnerability (CVE-2025-48827) in vBulletin, which becomes exploitable when running on PHP 8.1 or newer.

The vulnerability stems from vBulletin’s misuse of ReflectionMethod::invoke(), which in PHP 8.1+ no longer blocks access to protected methods by default. As a result, attackers can remotely trigger sensitive internal functions originally meant to be inaccessible and achieve code execution on the server.

📝 Contents:
● The Vulnerability
● The vBulletin Vulnerability
● Exploiting vBulletin: Path to Pre-Auth RCE
● Conclusion

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

⚠️ We've reproduced CVE-2025-49113 in Roundcube.

This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.

If you're running Roundcube — update immediately!

🦊 Mozilla Foundation fixed CVE-2025-6430, discovered by our researcher Daniil Satyaev!

This vulnerability allows the Content-Disposition: attachment header to be ignored if the page is opened using <embed> or <object>, resulting in files being displayed instead of downloaded.

🧠 Our researcher Sergey Tarasov discovered a vulnerability (CVE-2025-49689) in NTFS on MS Windows.

The article dives into the exploitation path, file system internals, VHD format, and more.

🔗 Read the article: https://swarm.ptsecurity.com/buried-in-the-log-exploiting-a-20-years-old-ntfs-vulnerability/

😈 Read the new article "Daemon Ex Plist: LPE via MacOS Daemons" by our researcher Egor Filatov.

This research reveals a vulnerability affecting popular apps like Mozilla VPN, Tunnelblick & more.

https://swarm.ptsecurity.com/daemon-ex-plist-lpe-via-macos-daemons/

👑 Our researcher has discovered LPE in VMWare Tools (CVE-2025-22230 & CVE-2025-22247) via VGAuth!

Write-up by the one who broke it: Sergey Bliznyuk

https://swarm.ptsecurity.com/the-guest-who-could-exploiting-lpe-in-vmware-tools/

🚨 We've launched dbugs.ptsecurity.com, a new home for vulnerabilities. More than CVEs. More than MITRE.

✅ Trends & Insights
✅ AI-generated, multi-source vulnerability descriptions
✅ Researcher credits

Explore now: https://dbugs.ptsecurity.com

📱 New article by our researcher Artem Kulakov: Injection for an athlete.

Read about a vulnerability discovered in the Garmin Connect mobile application:

https://swarm.ptsecurity.com/injection-for-an-athlete/

📑 A new article from our researchers Aleksey Solovev, Nikita Sveshnikov and Vladimir Razov — "Blind trust: what is hidden behind the process of creating your PDF file?".

https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/

📞 Microsoft fixed an authenticated RCE in Windows Telephony Service (CVE-2026-20931), discovered by our researcher Sergey Bliznyuk.

Read the write-up: https://swarm.ptsecurity.com/whos-on-the-line-exploiting-rce-in-windows-telephony-service/

🏆 Two of our research articles are nominated for PortSwigger's Top 10 Web Hacking Techniques of 2025!

1️⃣ Impossible XXE in PHP
2️⃣ Blind trust: what is hidden behind the process of creating your PDF file?

Last day to vote if you found them useful!

https://portswigger.net/polls/top-10-web-hacking-techniques-2025

🚨 Our researcher Alexander Zhurnakov identified two vulnerabilities in Dell Wyse Management Suite prior to version 5.5.

In certain configurations, they can be chained to achieve unauthenticated remote code execution.

Upgrade now → https://www.dell.com/support/kbdoc/en-us/000429141/dsa-2026-103

🐘 Attack arithmetic: how an integer overflow in PostgreSQL libpq leads to denial of service.

Our researcher Aleksey Solovev discovered the vulnerability CVE-2025-12818, which may cause a product using the libpq PostgreSQL library to crash.

https://swarm.ptsecurity.com/attack-arithmetic-how-an-integer-overflow-in-postgresql-libpq-leads-to-denial-of-service/

Two bugs. One chain. Full RCE.

New research by Aleksandr Zhurnakov on Dell Wyse Management Suite shows how business logic flaws can be chained into complete system compromise.

Read the full writeup!

https://swarm.ptsecurity.com/business-logic-and-chains-unauthenticated-rce-in-dell-wyse-management-suite/

🔥 Read the new article by our researcher Timofey Duditsky.

The write-up dives into the AMD Platform Configuration Blobs mechanism, shows how it works, and reveals the vulnerability CVE-2025-54502.

https://swarm.ptsecurity.com/slowburn-looking-through-amd-platform-configuration-blobs-infrastructure/

🧑‍🚒 Our researcher Mikhail Sukhov shares his knowledge and experience in analyzing FreeIPA environments.

He also introduces his new tool, IPAHound 💪

Go ’n see the details ➡️ https://swarm.ptsecurity.com/thinking-in-graphs-with-ipahound/

🐘 PHP JPEG bugs: how image parsing leads to memory corruption.

Our researcher Nikita Sveshnikov discovered two JPEG-related memory-safety bugs in PHP’s ext/standard: CVE-2025-14177 in getimagesize and a heap buffer overflow in iptcembed.

https://swarm.ptsecurity.com/hack-the-elephant-one-bite-at-a-time-jpeg-related-memory-safety-bugs-in-php/