Verified — Next.js middleware authorization bypass via x-middleware-subrequest
Severity CRITICAL
Confidence HIGH
Reproduced in 37m 24s
Tool calls 180
Spend $2.62
Affected >=11.1.4 <12.3.5, >=13.0.0 <13.5.9, >=14.0 <14.2.25, >=15.0 <15.2.3
Fixed in 12.3.5, 13.5.9, 14.2.25, 15.2.3
$
pruva-verify REPRO-2026-00198 or
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00198/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Run in a VM or disposable container. This exploits a real vulnerability.
Next.js middleware authorization checks can be bypassed when an external request includes the internal x-middleware-subrequest header, causing middleware to be skipped entirely.
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.
bundle/repro/runtime_manifest.json0.9 KBbundle/repro/validation_verdict.json0.7 KBbundle/ticket.json4.1 KBbundle/ticket.md3.6 KBbundle/logs/fixed-2-normal.txt0.0 KBbundle/logs/vuln-1-bypass-body.html0.0 KBbundle/logs/fixed-2-bypass-poly.txt0.0 KBbundle/logs/vuln-2-build.log1.3 KBbundle/logs/nextjs-fixed-1.log0.0 KBbundle/logs/nextjs-fixed-2.log0.0 KBbundle/logs/fixed-2-summary.txt0.1 KBbundle/logs/fixed-2-bypass-body.html0.0 KBbundle/logs/vuln-2-summary.txt0.1 KBbundle/logs/vuln-2-bypass.txt0.0 KBbundle/logs/fixed-1-bypass.txt0.0 KBbundle/logs/nextjs-vuln-1.log0.0 KBbundle/logs/fixed-1-bypass-body.html0.0 KBbundle/logs/vuln-2-bypass-body.html0.0 KBbundle/logs/vuln-1-bypass.txt0.0 KBbundle/logs/fixed-1-normal.txt0.0 KBbundle/logs/fixed-2-build.log1.3 KBbundle/logs/fixed-1-bypass-poly-body.html0.0 KBbundle/logs/nextjs-vuln-2.log0.0 KBbundle/logs/fixed-1-build.log1.3 KBbundle/logs/fixed-1-bypass-poly.txt0.0 KBbundle/logs/fixed-1-summary.txt0.1 KBbundle/logs/fixed-2-bypass.txt0.0 KBbundle/logs/vuln-1-build.log1.3 KBbundle/logs/vuln-1-bypass-poly-body.html3.6 KBbundle/logs/vuln-1-normal.txt0.0 KBbundle/logs/vuln-2-bypass-poly-body.html3.6 KBbundle/logs/vuln-2-normal.txt0.0 KBbundle/logs/vuln-1-bypass-poly.txt0.0 KBbundle/logs/fixed-2-bypass-poly-body.html0.0 KBbundle/logs/vuln-2-bypass-poly.txt0.0 KBbundle/logs/vuln-1-summary.txt0.1 KBbundle/repro/reproduction_steps.sh7.6 KBbundle/repro/rca_report.md7.9 KB