always hunting for the unseen;
Joined November 2022
- Tweets 213
- Following 202
- Followers 2,896
- Likes 1,571
38 Photos and videos
Happy to share my first article with @zhero___, which is also my first CVE (CVE-2025-29927) on the largest JS framework: Next.js.
A critical vulnerability that impacts a wide range of sensitive sectors across the internet.
the research paper is out:
Next.js and the corrupt middleware: the authorizing artifact
result of a collaboration with @inzo____ that led to CVE-2025-29927 (9.1-critical)
zhero-web-sec.github.io/rese…
enjoy the read!
8
15
221
19,577
New short article on a real-world exploitation case rather than pure research, demonstrating how a specific mistake in Next.js can lead to a systematic zero-click SXSS on its latest versions (w/@inzo____):
Re:CACHE - Excessive reflection, type confusion, and 0-click SXSS on Next.js
zhero-web-sec.github.io/rese…
6
67
355
19,720
Now open to sponsorships, partnerships, and selective intellectual property transfers related to ongoing and future research.
Current model: fully independent vulnerability research funded through bug bounty activity, with no consulting or commercial services.
Interested parties can reach out via DM or via the email listed on the blog.
I’ve received several similar offers over the past few months from companies of various sizes involving conducting research writing of the related papers, which generally included:
- transferring research intellectual property
- per-research payment, sometimes with a fixed fee
4
80
9,060
Happy to publish our first research of the year on the SvelteKit framework, downloaded over 800,000 times per week, which led to CVE-2025-67647 (w/@inzo____):
Avoiding the paradox: A native full-read SSRF and one‑shot DoS in SvelteKit
zhero-web-sec.github.io/rese…
Enjoy the read
8
61
346
16,260
Voting is now open, with three of my papers nominated:
1. Eclipse on Next.js: Conditioned exploitation of an intended race-condition
2. Next.js, cache, and chains: the stale elixir
3. Astro framework and standards weaponization
take a moment to vote!
portswigger.net/polls/top-10…
5
7
113
5,185
No doubt I’ll be voting for these two amazing pieces of research
honored to see two of my research works selected for the initial nominations
they’ve been the most fruitful for me in practice, with ongoing discoveries of vuln assets, incl. several major platforms, and six figures in rewards
If they helped you in any way, consider voting-14/01
2
26
1,403
We unfortunately won’t be able to publish our latest paper before the end of 2025 as the maintainers chose to delay it until early January.
Still, it’s been a productive year of zero-day discoveries, with a focus on frameworks, many of which were shared on the blog.
2025 Recap:
ALT https://zhero-web-sec.github.io/research-and-things/
6
12
177
14,288
second research on Astro, a shorter paper than usual, which led to CVE-2025-64764 (w/ @inzo____):
Unlocking Reflected XSS in the Astro framework
zhero-web-sec.github.io/rese…
all applications using the Server Island feature are vulnerable
release of our new paper (w/ @inzo____) which resulted in CVE-2025-64525:
Astro framework and standards weaponization
from path-based middleware protection bypass to potential SSRF & XSS full bypass of CVE-2025-61925 on @astrodotbuild
zhero-web-sec.github.io/rese…
6
38
298
20,924
Research from @zhero___ and @inzo____, breaking yet another popular framework. This time, it's @astrodotbuild.
Hackers with character, enjoy the read!
spent more time writing than reading this week :
zhero-web-sec.github.io/rese…
6
34
6,407
release of our new paper (w/ @inzo____) which resulted in CVE-2025-64525:
Astro framework and standards weaponization
from path-based middleware protection bypass to potential SSRF & XSS full bypass of CVE-2025-61925 on @astrodotbuild
zhero-web-sec.github.io/rese…
11
79
345
52,965
to echo my last post, your big, influential app with millions of users is surely secure against this
probably the most surprising(?) vulnerability of my short career; sometimes you just need to reach out your arm (almost literally), right @inzo____?
8
4
167
8,156
I really enjoyed reading the latest research paper by @albinowax
Big kudos to everyone who contributed to this research
Super inspiring
portswigger.net/research/htt…
6 Aug 2025
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com/
2
1
51
3,380
new discovery: cache poisoning on next.js - CVE-2025-49826
indefinite caching of a 204 response, rendering the affected pages inaccessible
affected versions: >15.0.4 and <15.2.0
there will be no research paper for this one
back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826
both routers are impacted:
app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN
pages router: SSR pages only requires a misconfigured CDN
14
84
475
38,975
security advisory: github.com/vercel/next.js/se…
20
3,013
Bug bounty, feedback, strategy, and alchemy
frequently asked for advice, roadmaps, and more, I finally took the time, after 2–3 years of bug bounty, to write down my vision, thoughts and perspective on the subject
non-technical, no research this time!
zhero-web-sec.github.io/thou…
20
85
428
29,775
In the meantime, @zhero___ published a very interesting piece of research
x.com/zhero___/status/192336…
publication of my latest modest paper;
Eclipse on Next.js: Conditioned exploitation of an intended race-condition - (CVE-2025-32421)
enabling a partial bypass of my previous vulnerability, CVE-2024-46982 by chaining a race-condition to a cache-poisoning
zhero-web-sec.github.io/rese…
13
1,902
The real key is to focus on maximizing your bug hunting income, making smart investments, and ultimately transitioning to full-time zero-day research once your investments cover all your living expenses.
The key is to maximize your bug hunting income, invest wisely, and gradually stop hunting as your investments fully cover your expenses. 🤓☝️
3
3
92
6,126