id: week01-nextjs-middleware-bypass-lab

info:
  name: Week 1 Next.js Middleware Segment-Prefetch Bypass Awareness Lab
  author: cj-olivenetworks-security-edu
  severity: high
  description: Checks a harmless proof marker for a simulated Next.js middleware/proxy alternate-path bypass condition.
  reference:
    - https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f
    - https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6
    - https://vercel.com/changelog/next-js-may-2026-security-release
  metadata:
    max-request: 1
    lab-only: true
    simulated: true
  tags: nextjs,auth-bypass,proxy,middleware,cve2026,week01,lab

http:
  - method: GET
    path:
      - "{{BaseURL}}/_next/data/lab/admin.rsc?__nextDataReq=1&lab_bypass=segment-prefetch"

    headers:
      User-Agent: "week01-nextjs-nuclei-lab"
      RSC: "1"
      Next-Router-Prefetch: "1"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "X-Lab-Proof: nextjs-middleware-bypass-simulated"

      - type: word
        part: body
        words:
          - "LAB_PROOF_NEXTJS_MIDDLEWARE_BYPASS_ONLY"
          - "\"executed\": false"
        condition: and

    extractors:
      - type: regex
        part: body
        regex:
          - "LAB_PROOF_NEXTJS_MIDDLEWARE_BYPASS_ONLY"