Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps.

Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone.

You can find links to the advisory and queries for runZero at: https://www.runzero.com/blog/next-js/

I've been checking their work, and it checks out so far. These and several related sites have been up and down for the past few months.

"A CDC clone website is filled with false and misleading vaccine claims against a backdrop of false balance. An NGO led by the current HHS Secretary until December 2024 is hosting content for the CDC clone. The domain realcdc[.]org currently redirects to this CDC clone, which is staged on chdstaging[.]org."

"The site uses CDC logos, real CDC social media links, and authoritative language, raising serious legal concerns under federal impersonation statutes. This deceptive staging site risks misleading parents, undermining public trust, and even violating federal law."

"It also raises an inevitable critical question: Is the HHS Secretary aware of the site, and if so, how will he address this conflict of interest and take action on an apparent effort to impersonate a federal agency?"

https://infoepi.substack.com/p/cdc-clone-site-rife-with-false-vaccine

Also, this document indicates that these domains indeed share a Cloudflare host:

https://gist.github.com/xNV3mHwjPU/7469c3be1d16b551f0c56ac0f2589678

Examples of the anti-vaccine content:

https://web.archive.org/web/20250322013659/https://cdc.chdstaging.org/

You can still see some of this crap at

https://covidindex1025.chdstaging[.]org

We're selling our house in #Oxford.

If you know anyone who wants to live somewhere with world-famous solar panels, a big garden, off-street parking with car-charger, and a short bus-ride to the city centre - please send them our advert.

https://www.rightmove.co.uk/properties/159284459#/?channel=RES_BUY

Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!

https://tmpout.sh/4/