[FINDarkside]

That "article" looks like AI generated slop. It suggests `if (request.headers.has('x-middleware-subrequest'))` in your middleware as a fix for the problem, while the whole vulnerability is that your middleware won't be executed when that header is present.

[ratorx]

You’re right - I was specifically referring to it giving a concrete example (which may or may not be correct) of the vulnerability as opposed to the main article just pointing in the direction of the header.

[tbarn]

The post from the reporters is much more useful for this: https://zhero-web-sec.github.io/research-and-things/nextjs-a...