inzo

215 posts

inzo

inzo

@inzo____

always hunting for the unseen;

Katılım Kasım 2022
202 Takip Edilen2.9K Takipçiler
Sabitlenmiş Tweet
inzo
inzo@inzo____·
Happy to share my first article with @zhero___, which is also my first CVE (CVE-2025-29927) on the largest JS framework: Next.js. A critical vulnerability that impacts a wide range of sensitive sectors across the internet.
zhero;@zhero___

the research paper is out: Next.js and the corrupt middleware: the authorizing artifact result of a collaboration with @inzo____ that led to CVE-2025-29927 (9.1-critical) zhero-web-sec.github.io/research-and-t… enjoy the read!

English
9
15
221
19.8K
inzo retweetledi
zhero;
zhero;@zhero___·
Pleased to publish a browser-related research paper (w/@inzo____) titled: One trigram at a time: XSLeak via Universal CSS Injection and DoS in Opera (GX) The title speaks for itself. Enjoy the read! zhero-web-sec.github.io/research-and-t…
zhero; tweet media
English
5
57
235
24K
inzo retweetledi
zhero;
zhero;@zhero___·
Paper currently being written. Expected to be the next publication, God willing. As no companies have yet been found whose vision and values truly align with ours, sponsorships, partnerships, and selective intellectual property transfers related to ongoing and future research remain open for discussion.
zhero;@zhero___

can merely visiting a website lead to cross-site data exfiltration from any site without user interaction? a ""minimal"" PoC has been validated, successfully exfiltrating, as a demonstration, the victim’s gmail address report submitted, hoping to provide more details soon

English
0
4
87
5.5K
inzo retweetledi
zhero;
zhero;@zhero___·
New short article on a real-world exploitation case rather than pure research, demonstrating how a specific mistake in Next.js can lead to a systematic zero-click SXSS on its latest versions (w/@inzo____): Re:CACHE - Excessive reflection, type confusion, and 0-click SXSS on Next.js zhero-web-sec.github.io/research-and-t…
zhero; tweet media
English
6
67
358
22.5K
inzo retweetledi
zhero;
zhero;@zhero___·
Now open to sponsorships, partnerships, and selective intellectual property transfers related to ongoing and future research. Current model: fully independent vulnerability research funded through bug bounty activity, with no consulting or commercial services. Interested parties can reach out via DM or via the email listed on the blog.
zhero;@zhero___

I’ve received several similar offers over the past few months from companies of various sizes involving conducting research + writing of the related papers, which generally included: - transferring research intellectual property - per-research payment, sometimes with a fixed fee

English
0
3
80
9.4K
inzo retweetledi
zhero;
zhero;@zhero___·
Happy to publish our first research of the year on the SvelteKit framework, downloaded over 800,000 times per week, which led to CVE-2025-67647 (w/@inzo____): Avoiding the paradox: A native full-read SSRF and one‑shot DoS in SvelteKit zhero-web-sec.github.io/research-and-t… Enjoy the read
zhero; tweet media
English
8
61
346
16.4K
inzo retweetledi
zhero;
zhero;@zhero___·
Voting is now open, with three of my papers nominated: 1. Eclipse on Next.js: Conditioned exploitation of an intended race-condition 2. Next.js, cache, and chains: the stale elixir 3. Astro framework and standards weaponization take a moment to vote! portswigger.net/polls/top-10-w…
English
5
7
114
5.3K
inzo
inzo@inzo____·
It was an excellent year of collaboration with my brother, during which I learned many things and we achieved a lot of results. Find out what next year will bring.
zhero;@zhero___

grateful;

English
0
1
9
888
zhero;
zhero;@zhero___·
@h4x0r_dz Ndirouha m3a ljma3a bi idhniLlah wa inzo li ykhalass
Indonesia
1
0
4
958
zhero;
zhero;@zhero___·
night walk in Algiers "la blanche"
English
4
1
73
4.6K
inzo retweetledi
zhero;
zhero;@zhero___·
We unfortunately won’t be able to publish our latest paper before the end of 2025 as the maintainers chose to delay it until early January. Still, it’s been a productive year of zero-day discoveries, with a focus on frameworks, many of which were shared on the blog. 2025 Recap:
zhero; tweet media
English
6
12
178
14.4K
inzo retweetledi
zhero;
zhero;@zhero___·
second research on Astro, a shorter paper than usual, which led to CVE-2025-64764 (w/ @inzo____): Unlocking Reflected XSS in the Astro framework zhero-web-sec.github.io/research-and-t… all applications using the Server Island feature are vulnerable
zhero; tweet media
zhero;@zhero___

release of our new paper (w/ @inzo____) which resulted in CVE-2025-64525: Astro framework and standards weaponization from path-based middleware protection bypass to potential SSRF & XSS + full bypass of CVE-2025-61925 on @astrodotbuild zhero-web-sec.github.io/research-and-t…

English
6
38
298
21.1K
inzo
inzo@inzo____·
@zhero___ In terms of big influential apps, let's continue:
inzo tweet media
English
0
0
3
475
inzo retweetledi
zhero;
zhero;@zhero___·
to echo my last post, your big, influential app with millions of users is surely secure against this probably the most surprising(?) vulnerability of my short career; sometimes you just need to reach out your arm (almost literally), right @inzo____?
zhero; tweet media
English
8
4
165
8.2K
inzo retweetledi
zhero;
zhero;@zhero___·
frameworks, frameworks with @inzo____
zhero; tweet media
English
2
6
158
21.9K
inzo retweetledi
zhero;
zhero;@zhero___·
new discovery: cache poisoning on next.js - CVE-2025-49826 indefinite caching of a 204 response, rendering the affected pages inaccessible affected versions: >15.0.4 and <15.2.0 there will be no research paper for this one
inzo@inzo____

back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826 both routers are impacted: app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN pages router: SSR pages only + requires a misconfigured CDN

English
14
83
473
39.1K