This tweet discusses the discovery of multiple Remote Code Execution (RCE) and Denial of Service (DoS) vulnerabilities in Next.js applications. The person managed to bypass CDN and Web Application Firewall (WAF) protections using custom code, indicating advanced bypass techniques rather than simple or common methods. It took approximately 10 days to create these bypasses. The tweet confirms that three of these vulnerabilities have been resolved, and the rest are scheduled to be fixed by March 25. This situation highlights the challenges in protecting web applications using standard CDNs and WAFs, as attackers can find sophisticated ways to bypass them, especially in complex frameworks like Next.js. Security teams need to continuously update and adapt their defenses to handle such advanced bypass attempts.
Check out the original tweet here: https://twitter.com/Mdhsan19/status/2034630976413078013