Ledger Ghost Routes
January 6, 2026. A scanner hits a hidden Next.js route, then an export endpoint leaks ledger rows from a preview deployment. You trace the request chain from headers to middleware to blast radius.
Briefing
A preview build was promoted with a stale debug route and middleware that trusted a preview header. The attacker does not need magic: route discovery, a forged internal-looking header, then a CSV export. This is a safe reconstruction built from logs and source snippets, not a working exploit.
Your role
Staff engineer shepherding a fleet of App Router services through a noisy advisory week.
Objective
Reconstruct the simulated web chain: discover the framework, find the ghost route, inspect the weak middleware matcher, prove data export, then show the block rule that stops replay.
Terminal environment
- user
- responder
- host
- build-review-01
- cwd
- /srv/platform/ledger-web
- steps
- 9
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.