More details here: https://zhero-web-sec.github.io/research-and-things/nextjs-a...

Hat tip ash: https://news.ycombinator.com/item?id=43451485

Looks like it was possible to include the `x-middleware-subrequest` header in your request, tricking the state machine into thinking you'd passed auth already.

(Don't use the user input itself to encode state!)