M2 Security Flaw: Next.js API Routes Bypass Authentication by Default, Creating 'Security Footgun'

A critical security misconfiguration in a Next.js application's middleware exposes all new API routes to unauthorized access by default. The vulnerability, rated MEDIUM (CVSS 5.9), stems from a matcher pattern in `proxy.ts` that explicitly excludes all `/api/*` paths from authentication checks. While a specific cron endpoint uses its own Bearer token, this design creates a dangerous default: any new API route added by developers will be completely unprotected unless they manually implement security.

The flaw is a classic 'security footgun,' where the framework's configuration encourages insecure practices. The middleware's current logic protects everything *except* API, TRPC, and static asset paths. This means authentication is an opt-in, not a default, for API development—a significant oversight that could lead to accidental data exposure or unauthorized actions if developers are unaware of the gap.

This finding, tagged as [M2] with a 'THIS WEEK' remediation priority, signals a systemic risk in the application's security posture. It pressures development teams to immediately audit all existing API routes and mandates a fundamental shift in the auth strategy. The recommended fix is to invert the security model: protect all routes by default and explicitly whitelist public ones, or enforce a mandatory shared authentication guard for any new API endpoint. The vulnerability highlights how default configurations can silently undermine an entire application's defense layer.