## https://sploitus.com/exploit?id=F5663BA3-FD03-5E91-BE24-0C0702FCE22F
# MCID15795619: Next.js Middleware Bypass PoC
## Executive Summary
This repository contains the technical details and Proof of Concept (PoC) for a High-Severity Middleware Bypass vulnerability on Next.js (`middleware.ts`). By manipulating specific HTTP headers (such as `x-middleware-subrequest`), an external attacker can circumvent security controls, bypass CSP protections, and access restricted routes.
---
## Responsible Disclosure Timeline & Full Evidence
This vulnerability was handled strictly according to responsible disclosure principles. However, total silence and lack of triage from the vendor forced this full disclosure to protect affected deployments.
**The complete chat logs, response times, and communication history are fully documented in the attached PDF file in this repository.**
* **May 21, 2026:** Vulnerability reported to Vercel via HackerOne (Report #3752811). Full details and initial PoC provided.
* **May 21, 2026:** Report requested more info; comprehensive steps and automated script provided within minutes.
* **June 06, 2026:** No response for 14 days. Initiated coordination via MCID15795619.
* **June 17, 2026:** No response for 24 days. Final 48-hour notice issued.
* **June 19, 2026:** Total silence maintained. Full Public Disclosure.
---
## Technical Explanation
The vulnerability exists in how Next.js processes internal routing and middleware subrequests. An attacker can craft a specific request with the header:
`headerx-middleware-subrequest: middleware:middleware;middleware:middleware;middleware:middleware`
This triggers internal evaluation logic that skips standard middleware execution entirely, preventing authentication/authorization checks from running.
---
## Proof of Concept (Usage)
The Python script `poc.py` automates this test to verify if a deployment is vulnerable.
### Prerequisites
```bash
pip install requests
to start : python3 poc.py -u -p