The Next.js Middleware Bypass: How a Single HTTP Header Broke Authentication Everywhere
A CVSS 9.1 vulnerability let attackers bypass all Next.js middleware auth with one curl command. The real story isn't the bug—it's how Vercel's edge computing business model created a security hole that took three weeks and two failed patches to fix.