Hello and welcome to the Monday, March 24th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Well, we've got an interesting vulnerability to start out with, and actually I wrote a little bit a diary inspired by that vulnerability, but we'll cover

diary and vulnerability sort of here in one.

The vulnerability is in NextJS.

NextJS is framework built around React.

And, well, like so many of these frameworks basically allows you to

write a ton of JavaScript, then a backend components, all of it sort of nicely integrated.

The problem here is how middleware plays into this. So in a modern web application,

it's not just Next.js,

it's, I think, particular,

when you're looking at cloud-based application,

very common,

where a request hardly ever goes directly

to just one web server,

but it's passing through various middleware components or proxies.

These proxies, they can have a number of different functions. The simplest one is just

caching, but then you have more complex things like rewriting headers or authentication.

And authentication is the part that, of course, is specifically of interest to us.

The interesting thing about having middleware take care of authentication is that it really sort

removes some of the dangers of implementing authentication from developers. The way this is usually implemented is that you design certain

paths in the application as requiring authentication or authorization, and that is then being taken

...