[FINDarkside]

Yeah, "obvious" critical vulnerability that is easy to use against any Nextjs app, spend 2 weeks making a fix and then announce on Friday evening that all Nextjs apps are free game. Lovely. Luckily doens't affect any of the sites I'm responsible for, since I hated middleware and most of the Nextjs "magic" features already.

[jonny_eh]

> spend 2 weeks making a fix

They didn't spend 2 weeks making a fix, that took a few hours. It took them two weeks to look at the report.

[notnullorvoid]

It took them a week to respond about the initial report for v12.0.0, the exploit was so trivial and obvious that even that should have been a warning to go check newer versions themselves, even if they hadn't seen the follow up message that had been sent a few days prior showing that the vulnerability was present in later versions.

[slowtrek]

"Luckily doesn't affect any of the sites I'm responsible for, since I hated middleware and most of the Nextjs "magic" features already."

This is probably the most important comment. You don't have to use Next.js, and if you do have to, you don't have to use everything they have in it.

[BoorishBears]

I don't think that's the takeaway.

[slowtrek]

What's the takeaway?

[l0gicpath]

The takeaway is that most people don’t think this way. A large portion of online recommendations for auth in Nextjs recommends middlewares for it. Knowing this, you’d expect a faster response time from the people maintaining the framework and stand to lose the most.

[BoorishBears]

The Vercel-like auth company Vercel's CEO invested in default recommends middleware for protecting routes:

https://clerk.com/docs/references/nextjs/clerk-middleware

You wouldn't get a user's info, but you'd get free reign to explore every page of a product

[BoorishBears]

One might suspect the first half of the comment.