Happy to share my first article with @zhero___, which is also my first CVE (CVE-2025-29927) on the largest JS framework: Next.js. A critical vulnerability that impacts a wide range of sensitive sectors across the internet.

frameworks, frameworks with @inzo____

I really enjoyed reading the latest research paper by @albinowax Big kudos to everyone who contributed to this research Super inspiring https://t.co/VzGwkcMjoH

new discovery: cache poisoning on next.js - CVE-2025-49826 indefinite caching of a 204 response, rendering the affected pages inaccessible affected versions: >15.0.4 and <15.2.0 there will be no research paper for this one

security advisory:

back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826 both routers are impacted: app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN pages router: SSR pages only + requires a misconfigured CDN

Bug bounty, feedback, strategy, and alchemy frequently asked for advice, roadmaps, and more, I finally took the time, after 2–3 years of bug bounty, to write down my vision, thoughts and perspective on the subject non-technical, no research this time! https://t.co/QirdoupcnU

@zhero___ In the meantime, @zhero___ published a very interesting piece of research https://t.co/cLGI3obrss

After a few days off, I'm back to work with @zhero___, and we've just reported a new high-severity vulnerability in a major open-source framework.

The real key is to focus on maximizing your bug hunting income, making smart investments, and ultimately transitioning to full-time zero-day research once your investments cover all your living expenses.

Vercel customers are protected from two high-severity vulnerabilities (CVE-2025-43864 and CVE-2025-43865) in Remix and React Router. Read our advisory to understand impact and next steps. https://t.co/jmPW2qHxWA

another research effort with @inzo____ led to the discovery of two new vulnerabilities in React Router (14M+ downloads/week), resulting in: - CVE-2025-43865 (High-8.2) - CVE-2025-43864 (High-7.5)

back to work, a sleepless night and 2 open-source vulnerability reports submitted; back on track with @inzo____

- d o p a m i n e, more d o p a m i n e Finish the month of March with some nice bounties with @zhero___! Who can say better?

new paper on a vulnerability discovered in React Router, resulting from a collaboration with @inzo____ that led to CVE-2025-31137; React Router and the Remix'ed path https://t.co/LMiqASwZnf good reading

> valid reports frantically closed by the same analyst who doesn't understand the vuln (nor tries/ask) > mediation disabled for these reports(?) > reports resent hoping to find a different analyst > same analyst, reports closed listen, here, what I don't understand doesn't exist

new open-source software vulnerability report sent with @inzo____ let's see;

The 9.1 CVSS CVE-2025-29927 authentication bypass vulnerability in Next.js middleware -- covered in a rambling video and teeny tiny demo showcase, ✨ V I B E C O D I N G✨ a vulnerable proof-of-concept app. https://t.co/DUUxBFDAJc

the research paper is out: Next.js and the corrupt middleware: the authorizing artifact result of a collaboration with @inzo____ that led to CVE-2025-29927 (9.1-critical) https://t.co/GZkbnr6o9H enjoy the read!

Next.js 15.2.3 includes a security vulnerability patch. We recommend updating to 15.2.3 or backported patches. If you cannot update, we have included guidance for how to protect your application. Apps on Vercel, Netlify, and Cloudflare are not affected. https://t.co/9rLVZf1HCt