inzo

212 posts

inzo

inzo

@inzo____

always hunting for the unseen;

Katılım Kasım 2022
200 Takip Edilen2.9K Takipçiler
Sabitlenmiş Tweet
inzo
inzo@inzo____·
Happy to share my first article with @zhero___, which is also my first CVE (CVE-2025-29927) on the largest JS framework: Next.js. A critical vulnerability that impacts a wide range of sensitive sectors across the internet.
zhero;@zhero___

the research paper is out: Next.js and the corrupt middleware: the authorizing artifact result of a collaboration with @inzo____ that led to CVE-2025-29927 (9.1-critical) zhero-web-sec.github.io/research-and-t… enjoy the read!

English
8
15
218
19.4K
inzo retweetledi
zhero;
zhero;@zhero___·
Now open to sponsorships, partnerships, and selective intellectual property transfers related to ongoing and future research. Current model: fully independent vulnerability research funded through bug bounty activity, with no consulting or commercial services. Interested parties can reach out via DM or via the email listed on the blog.
zhero;@zhero___

I’ve received several similar offers over the past few months from companies of various sizes involving conducting research + writing of the related papers, which generally included: - transferring research intellectual property - per-research payment, sometimes with a fixed fee

English
0
4
80
8.6K
inzo retweetledi
zhero;
zhero;@zhero___·
Happy to publish our first research of the year on the SvelteKit framework, downloaded over 800,000 times per week, which led to CVE-2025-67647 (w/@inzo____): Avoiding the paradox: A native full-read SSRF and one‑shot DoS in SvelteKit zhero-web-sec.github.io/research-and-t… Enjoy the read
zhero; tweet media
English
8
61
343
16.1K
inzo retweetledi
zhero;
zhero;@zhero___·
Voting is now open, with three of my papers nominated: 1. Eclipse on Next.js: Conditioned exploitation of an intended race-condition 2. Next.js, cache, and chains: the stale elixir 3. Astro framework and standards weaponization take a moment to vote! portswigger.net/polls/top-10-w…
English
5
7
112
5.1K
inzo
inzo@inzo____·
It was an excellent year of collaboration with my brother, during which I learned many things and we achieved a lot of results. Find out what next year will bring.
zhero;@zhero___

grateful;

English
0
1
7
814
zhero;
zhero;@zhero___·
@h4x0r_dz Ndirouha m3a ljma3a bi idhniLlah wa inzo li ykhalass
Indonesia
1
0
4
954
zhero;
zhero;@zhero___·
night walk in Algiers "la blanche"
English
4
1
72
4.5K
inzo retweetledi
zhero;
zhero;@zhero___·
We unfortunately won’t be able to publish our latest paper before the end of 2025 as the maintainers chose to delay it until early January. Still, it’s been a productive year of zero-day discoveries, with a focus on frameworks, many of which were shared on the blog. 2025 Recap:
zhero; tweet media
English
6
12
177
14.2K
inzo retweetledi
zhero;
zhero;@zhero___·
second research on Astro, a shorter paper than usual, which led to CVE-2025-64764 (w/ @inzo____): Unlocking Reflected XSS in the Astro framework zhero-web-sec.github.io/research-and-t… all applications using the Server Island feature are vulnerable
zhero; tweet media
zhero;@zhero___

release of our new paper (w/ @inzo____) which resulted in CVE-2025-64525: Astro framework and standards weaponization from path-based middleware protection bypass to potential SSRF & XSS + full bypass of CVE-2025-61925 on @astrodotbuild zhero-web-sec.github.io/research-and-t…

English
6
38
298
20.8K
inzo
inzo@inzo____·
@zhero___ In terms of big influential apps, let's continue:
inzo tweet media
English
0
0
3
462
inzo retweetledi
zhero;
zhero;@zhero___·
to echo my last post, your big, influential app with millions of users is surely secure against this probably the most surprising(?) vulnerability of my short career; sometimes you just need to reach out your arm (almost literally), right @inzo____?
zhero; tweet media
English
8
4
167
8.1K
inzo retweetledi
zhero;
zhero;@zhero___·
frameworks, frameworks with @inzo____
zhero; tweet media
English
2
6
159
21.8K
inzo retweetledi
zhero;
zhero;@zhero___·
new discovery: cache poisoning on next.js - CVE-2025-49826 indefinite caching of a 204 response, rendering the affected pages inaccessible affected versions: >15.0.4 and <15.2.0 there will be no research paper for this one
inzo@inzo____

back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826 both routers are impacted: app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN pages router: SSR pages only + requires a misconfigured CDN

English
14
83
475
38.9K
inzo
inzo@inzo____·
back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826 both routers are impacted: app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN pages router: SSR pages only + requires a misconfigured CDN
inzo tweet media
English
4
20
217
53.6K
inzo retweetledi
zhero;
zhero;@zhero___·
Bug bounty, feedback, strategy, and alchemy frequently asked for advice, roadmaps, and more, I finally took the time, after 2–3 years of bug bounty, to write down my vision, thoughts and perspective on the subject non-technical, no research this time! zhero-web-sec.github.io/thoughts/bugbo…
zhero; tweet media
English
20
85
429
29.7K

Keşfet

@zhero___ @h4x0r_dz @astrodotbuild @zack0x01 @Hacker0x01 @albinowax @w_n1rmala @elonmusk