Saw a high-risk issue with next.js.
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
It vaguely (obscene) states that blocking x-middleware-subrequest
can mitigate the attack.
Commit for the vulnerability fix
https://github.com/vercel/next.js/commit/9704c8e9fcc58236349ed787903831579440a879
The commit was made five days ago, and the CVE was released yesterday. This means it has been lingering in the wild for several days.
Exploitation seems really easy... setting subrequest to true directly bypasses the intermediate logic? (I didn't look very closely)
All I can say is that OpenAI is still a step ahead, having switched from next.js to remix a long time ago, hahahahaha.