Describe the bug
There appears to be a security vulnerability related to how middleware handles subrequests. By crafting a specific x-middleware-subrequest header and sending a forged g header, it's possible to access internal data from API endpoints without proper authentication.

To Reproduce

1. Send a GET request to https://app.100xdevs.com/api/mobile/search?q=web

2. Include the following headers:

   • x-middleware-subrequest: src/middleware:src/middleware:src/middleware
   • g: {"id":1,"email":"[email protected]"}

3. Observe that data is returned that likely requires authentication.

Expected behavior

This endpoint should not return data when the request bypasses authentication through crafted headers. Proper authorization should be enforced regardless of header manipulation.

Screenshots or GIFs

Info (please complete the following information):

• Browser : Tested via Postman and Burp Suite
• Version : N/A ( API Based request )

Additional context

This may be related to the Next.js middleware bypass vulnerability (CVE-2024-34350), where custom headers like x-middleware-subrequest could be used to bypass middleware protection. If confirmed, this may expose sensitive internal APIs to unauthenticated access.