More details here: https://zhero-web-sec.github.io/research-and-things/nextjs-a...
Hat tip ash: https://news.ycombinator.com/item?id=43451485
Looks like it was possible to include the `x-middleware-subrequest` header in your request, tricking the state machine into thinking you'd passed auth already.
(Don't use the user input itself to encode state!)
More details here: https://zhero-web-sec.github.io/research-and-things/nextjs-a...
Hat tip ash: https://news.ycombinator.com/item?id=43451485