inzo

211 posts

inzo

inzo

@inzo____

always hunting for the unseen;

Katılım Kasım 2022
200 Takip Edilen2.9K Takipçiler
Sabitlenmiş Tweet
inzo
inzo@inzo____·
Happy to share my first article with @zhero___, which is also my first CVE (CVE-2025-29927) on the largest JS framework: Next.js. A critical vulnerability that impacts a wide range of sensitive sectors across the internet.
zhero;@zhero___

the research paper is out: Next.js and the corrupt middleware: the authorizing artifact result of a collaboration with @inzo____ that led to CVE-2025-29927 (9.1-critical) zhero-web-sec.github.io/research-and-t… enjoy the read!

English
8
15
219
19.1K
inzo retweetledi
zhero;
zhero;@zhero___·
Happy to publish our first research of the year on the SvelteKit framework, downloaded over 800,000 times per week, which led to CVE-2025-67647 (w/@inzo____): Avoiding the paradox: A native full-read SSRF and one‑shot DoS in SvelteKit zhero-web-sec.github.io/research-and-t… Enjoy the read
zhero; tweet media
English
8
62
342
15.4K
inzo retweetledi
zhero;
zhero;@zhero___·
Voting is now open, with three of my papers nominated: 1. Eclipse on Next.js: Conditioned exploitation of an intended race-condition 2. Next.js, cache, and chains: the stale elixir 3. Astro framework and standards weaponization take a moment to vote! portswigger.net/polls/top-10-w…
English
5
7
112
4.8K
inzo
inzo@inzo____·
It was an excellent year of collaboration with my brother, during which I learned many things and we achieved a lot of results. Find out what next year will bring.
zhero;@zhero___

grateful;

English
0
1
7
725
zhero;
zhero;@zhero___·
@h4x0r_dz Ndirouha m3a ljma3a bi idhniLlah wa inzo li ykhalass
Indonesia
1
0
4
936
zhero;
zhero;@zhero___·
night walk in Algiers "la blanche"
English
4
1
73
4.4K
inzo retweetledi
zhero;
zhero;@zhero___·
We unfortunately won’t be able to publish our latest paper before the end of 2025 as the maintainers chose to delay it until early January. Still, it’s been a productive year of zero-day discoveries, with a focus on frameworks, many of which were shared on the blog. 2025 Recap:
zhero; tweet media
English
6
12
178
13.7K
inzo retweetledi
zhero;
zhero;@zhero___·
second research on Astro, a shorter paper than usual, which led to CVE-2025-64764 (w/ @inzo____): Unlocking Reflected XSS in the Astro framework zhero-web-sec.github.io/research-and-t… all applications using the Server Island feature are vulnerable
zhero; tweet media
zhero;@zhero___

release of our new paper (w/ @inzo____) which resulted in CVE-2025-64525: Astro framework and standards weaponization from path-based middleware protection bypass to potential SSRF & XSS + full bypass of CVE-2025-61925 on @astrodotbuild zhero-web-sec.github.io/research-and-t…

English
6
39
299
20.5K
inzo
inzo@inzo____·
@zhero___ In terms of big influential apps, let's continue:
inzo tweet media
English
0
0
3
444
inzo retweetledi
zhero;
zhero;@zhero___·
to echo my last post, your big, influential app with millions of users is surely secure against this probably the most surprising(?) vulnerability of my short career; sometimes you just need to reach out your arm (almost literally), right @inzo____?
zhero; tweet media
English
8
4
167
8K
inzo retweetledi
zhero;
zhero;@zhero___·
frameworks, frameworks with @inzo____
zhero; tweet media
English
2
6
159
21.7K
inzo retweetledi
zhero;
zhero;@zhero___·
new discovery: cache poisoning on next.js - CVE-2025-49826 indefinite caching of a 204 response, rendering the affected pages inaccessible affected versions: >15.0.4 and <15.2.0 there will be no research paper for this one
inzo@inzo____

back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826 both routers are impacted: app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN pages router: SSR pages only + requires a misconfigured CDN

English
14
84
480
38.7K
inzo
inzo@inzo____·
back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826 both routers are impacted: app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN pages router: SSR pages only + requires a misconfigured CDN
inzo tweet media
English
4
20
219
53.3K
inzo retweetledi
zhero;
zhero;@zhero___·
Bug bounty, feedback, strategy, and alchemy frequently asked for advice, roadmaps, and more, I finally took the time, after 2–3 years of bug bounty, to write down my vision, thoughts and perspective on the subject non-technical, no research this time! zhero-web-sec.github.io/thoughts/bugbo…
zhero; tweet media
English
21
86
431
29.4K

Keşfet

@zhero___ @h4x0r_dz @astrodotbuild @zack0x01 @Hacker0x01 @albinowax @w_n1rmala @elonmusk