This bypass technique targets Web Application Firewalls (WAFs) by leveraging how they interpret Next.js requests. Specifically, many WAFs see Next.js requests as legitimate application traffic. This is because Next.js, a popular React framework, uses server-side rendering (SSR) paths that the WAF does not properly inspect. The vulnerability allows attackers to exploit server-side rendering paths to bypass edge detection entirely, meaning the WAF cannot detect or block the malicious payloads sent through these SSR requests. This bypass affects various types of vulnerabilities that can be delivered through SSR paths, making it a universal bypass method for any WAF that does not monitor this type of traffic correctly. To mitigate this risk, security teams should ensure their WAFs and security tools include thorough inspection mechanisms for server-side rendering requests, particularly those from frameworks like Next.js, and apply additional layers of security controls at the application level.
https://twitter.com/EdgeDetectOps/status/2039810331128545685