A Next.js middleware authentication bypass (CVE-2025-29927) Writeup: Hackdonalds Challenge (Intigriti)
Next.js Middleware Authentication Bypass (CVE-2025-29927) Classic XML External Entity (XXE) injection This combination ultimately allowed me to read system files and retrieve the flag from the server. 🔍 Recon – The Starting Point We were given the URL: Visiting the site showed a clean interface with a mysterious Admin section. Clicking it led to a … Read more