The researchers who found the Next.js middleware vulnerability (CVE-2025-29927) have released the full paper: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

Notable is that the auth bypass requires the x-middleware-subrequest value to be one of these two forms:
middleware:middleware:middleware:middleware:middleware OR
src/middleware:src/middleware:src/middleware:src/middleware:src/middleware