- Dev Notes
- Posts
- Next.js Middleware Flaw – What You Need to Know (And Patch ASAP)
Next.js Middleware Flaw – What You Need to Know (And Patch ASAP)
PLUS: Y Combinator CEO Says 25% of Startups Have 95% AI Written Code


Good Morning! A critical Next.js flaw lets anyone skip your auth middleware. Meanwhile, Y Combinator’s CEO says startups are now writing 95% of their code with AI, and some Google Maps users found their entire location history wiped thanks to a "technical issue,"
Next.js Middleware Flaw – What You Need to Know (And Patch ASAP)

Context: If you're using Next.js middleware for auth, rewrites, or CSP, you might want to sit down for this one. A critical vulnerability (CVE-2025-29927, CVSS 9.1) has been found that lets attackers bypass middleware entirely—yes, even for protected routes like /admin/dashboard
. This affects all versions from 11.1.4 up to 15.2.2. Researchers zhero and inzo_ found that by crafting a request with a sneaky x-middleware-subrequest
header (plus the right value), middleware just... steps aside.
What’s new:
Middleware bypass works by tricking the framework into thinking it's already processed the request.
Works on all Next.js versions pre-patch, regardless of routing system.
Big names like Vercel, Netlify have rolled out mitigations—Cloudflare, not so much (opt-in only).
Next.js dropped patches in versions 12.3.5, 13.5.9, 14.2.25, 15.2.3. Drop everything and update.
Quick Fix (if you can’t patch yet):
Block external requests with
x-middleware-subrequest
headers.Double check your app isn’t relying only on middleware for auth/security.
Don’t be the reason someone gets into your admin panel with a forged header. Patch it, block it, or both.
Y Combinator CEO Says 25% of Startups Have 95% AI Written Code

Y Combinator CEO Garry Tan just dropped an interesting statistic: 25% of YC startups are running on 95% AI-generated code. Yup, that’s what he told CNBC.
Startups are getting off the ground without hiring giant teams—some with fewer than 10 engineers. Tan says that means founders can stretch their runway further and ship faster.
This naturally sent waves of panic and LinkedIn “open to work” updates across junior dev circles. But hold up—let’s not throw our keyboards out the window just yet.
What’s actually happening:
Startups are vibing MVPs into existence with AI tools (think Copilot, Claude, etc.)
Most of these YC companies are AI-focused already—so they’re kind of expected to lean in hard
Human engineers are still critical for:
architecture
optimization
debugging AI-generated spaghetti
scaling and securing real-world apps
Takeaway: AI might write a lot of code—but it still doesn’t understand the code. You do. It’s like giving a monkey a typewriter that autocompletes Shakespeare… someone still needs to read the script. In Tan’s world, AI is the intern that never sleeps. But you’re still the engineer turning half-baked demos into shippable products.
So breathe. The job’s changing, not disappearing.
Google Maps Timeline Wipe: Whoops, Your Data's Gone

If you opened Google Maps recently and noticed your Timeline looking suspiciously empty, you’re not alone. A “technical issue” (Google’s words, not ours) nuked some users’ location history. Unless you had encrypted cloud backups turned on, that history? Gone. Forever. Cue digital sobbing.
What’s new: Google confirmed the glitch, but the apology was more shrug emoji than heartfelt. Some users got emails with recovery instructions (for those with backups). The rest are... well, out of luck.
Heads-up devs and power users:
Check your Timeline backup settings (Maps > Your Timeline > Cloud icon)
May 18 is the deadline to review privacy settings or risk planned data loss
Google’s also testing Gemini’s “Share screen with Live” for AI-powered visual interactions. Neat... unless it crashes too.
Why this matters (and burns): For a lot of folks, Maps Timeline was like a GPS-powered diary. Now, thanks to a technical hiccup, it’s more like a blank page. The data’s not just convenience—it’s context. Losing it highlights just how fragile our digital memories are when they're tethered to cloud services with minimal user control.
Bottom line: Back up your data. Locally, in the cloud, with a floppy disk if you must lol. Trust in Big Tech is great—until your 10 years of travel history vanish with a silent update.
🔥 More Notes
Thermodynamic Computing: A new computing paradigm, thermodynamic computing, is emerging, potentially surpassing current silicon and quantum chips in efficiency and performance. ​
Quantum Computing Threats: The advent of powerful quantum computers, known as Q-Day, poses significant challenges to current encryption methods, potentially compromising global cybersecurity
đź“ą Youtube Spotlight

Was this forwarded to you? Sign Up Here