code100x
bug: Security Issue: Middleware Bypass Risk in API Endpoint
Describe the bug There appears to be a security vulnerability related to how middleware handles subrequests. By crafting a specific x-middleware-subrequest header and sending a forged g header, it's possible to access internal data from API endpoints without proper authentication.
To Reproduce
-
Send a
GETrequest tohttps://app.100xdevs.com/api/mobile/search?q=web -
Include the following headers:
-
x-middleware-subrequest: src/middleware:src/middleware:src/middleware -
g: {"id":1,"email":"[email protected]"}
-
-
Observe that data is returned that likely requires authentication.
Expected behavior
This endpoint should not return data when the request bypasses authentication through crafted headers. Proper authorization should be enforced regardless of header manipulation.
Screenshots or GIFs
Info (please complete the following information):
- Browser : Tested via Postman and Burp Suite
- Version : N/A ( API Based request )
Additional context
This may be related to the Next.js middleware bypass vulnerability (CVE-2024-34350), where custom headers like x-middleware-subrequest could be used to bypass middleware protection. If confirmed, this may expose sensitive internal APIs to unauthenticated access.
@MayankProject isn't the CVE patched in next 14x? how is it still there? cms uses next 14+!
